Trust & Security
How Resensor secures your data, who we rely on to run the platform, and exactly where we stand on compliance. We are a security company, so we hold ourselves to the standard we measure others against.
Resensor is an external attack surface management platform. You trust us with a map of your most sensitive infrastructure, so this page lays out, in plain terms, how we protect it. For the binding legal detail, see our Privacy Policy and Terms of Service.
Compliance status
We believe in honest signals, so here is exactly where we stand today, with no badge we have not earned.
| Framework | Status |
|---|---|
| Certified infrastructure | In place Resensor is built and hosted entirely on SOC 2 Type II and ISO 27001 certified providers. See Infrastructure and subprocessors below. |
| GDPR (EU / UK) | Compliant Self-assessed. We act as a processor for customer data, support data-subject requests, and rely on Standard Contractual Clauses for international transfers. A Data Processing Addendum (DPA) is available on request. |
| CCPA / CPRA (California) | Compliant Self-assessed. We do not sell personal data and honor consumer privacy rights. |
| SOC 2 Type II | On our roadmap We design and operate to SOC 2 controls today, and we will pursue formal attestation as we scale. Need our security posture for a deal in flight? Email security@resensor.io and we will share detail under NDA. |
How we protect your data
- Encryption in transit. All traffic to and from the Service is encrypted with TLS, and our public endpoints are configured for strong, modern cipher suites.
- Encrypted secrets at rest. Credentials, API tokens, and connector secrets are stored encrypted, separately from general application data.
- Least-privilege access. Access to production systems and customer data is limited to the people who need it, authenticated, and logged.
- Multi-factor authentication. MFA is available on every account, and we use it to guard access to our own infrastructure.
- Tenant isolation. Each organization's targets, scans, and findings are scoped to that organization. Members only ever see the organizations they belong to.
- Continuous monitoring. We watch our own perimeter with the same techniques the product uses, and we log and alert on anomalous activity.
- Authorized scanning only. The platform is built to assess assets you own or are authorized to assess, and we record who submitted each target.
Infrastructure and subprocessors
We run on a small, deliberate set of vendors, each carrying its own independent security certifications. They process data on our behalf under written agreements and may not use it for their own purposes.
| Provider | Purpose | Certifications |
|---|---|---|
| Cloudflare | Marketing hosting, CDN, DNS, DDoS protection | SOC 2 Type II, ISO 27001, PCI DSS |
| DigitalOcean | Application hosting and database | SOC 2 Type II, ISO 27001, PCI DSS |
| Stripe | Payment processing and subscription billing | PCI DSS Level 1, SOC 2 |
| Transactional email provider | Sign-in links, billing receipts, alert delivery | Encrypted in transit (TLS) |
For the current, authoritative subprocessor list and our data-transfer safeguards, see the Privacy Policy.
Compliance, built into the product
Compliance is also something Resensor does for you. Every finding the platform reports is tagged with the controls it maps to across SOC 2, ISO 27001:2022 Annex A, and PCI DSS v4.0, so you can turn external attack surface findings into audit evidence without re-keying anything.
Reporting a vulnerability
Found a security issue in Resensor? We want to hear about it. Email security@resensor.io with enough detail to reproduce the issue. We will acknowledge your report and keep you updated, and we will not pursue action against good-faith research that respects user data and avoids privacy violations, service disruption, and data destruction.
Data handling
You stay in control of your data. You can export or delete it from within the Service: removing a target deletes its scans, findings, and assets, and deleting your organization removes its data on a defined schedule. Full detail on retention, international transfers, and your rights lives in the Privacy Policy.