Trust center

Every claim we make about security is something we've published, audited, or scanned ourselves. This page links the evidence.

Compliance & attestations

GDPR-compliant data handling

active

View →

MITRE CWE-Compatible (applied)

in progress

Every finding ships with CWE, OWASP Top 10 2021, ASVS 4.0, and CVSS v3.1 mappings. Registration under review.

View →

Paddle Merchant of Record

active

All payment processing, tax collection, and invoicing handled by Paddle. We never see card data.

View →

SOC 2 Type 1

planned

Vanta engagement kicking off 2026-05. Target Type 1 attestation by end of Q3 2026.

Responsible disclosure policy

active

Safe harbor for good-faith research, RFC 9116 machine-readable contact, 90-day disclosure window, public hall-of-fame recognition.

View →

Weekly self-scan

active

Sekrd scans itself every Sunday. Latest report and score published below.

View →

GitHub Marketplace verified

active

Sekrd Deep Security Scanner is published on the GitHub Marketplace. Uploads SARIF to Code Scanning, posts PR comments, fails builds on configured severity.

View →

Operational status

Live status

Real-time health + 30-day uptime history, independently measured by UptimeRobot.

Live probe Uptime history ↗

Self-scan

We run Sekrd against sekrd.com every Sunday. The latest score is embedded below — the same score any user would get running a scan.

Latest self-scan badge. Live at /badge/sekrd-com.svg.

Subprocessors

Third parties we share data with. Listed for GDPR transparency and enterprise diligence.

Vendor	Purpose	Region
Paddle.com	Payments (Merchant of Record)	Global
Amazon Web Services	Compute, storage, email (SES)	eu-north-1
Cloudflare	CDN + DNS + Turnstile human verification	Global
onaiu.com SMTP	Transactional email (alerts, receipts)	Custom
NextAuth.js + Google/GitHub/GitLab OAuth	Third-party sign-in (email never stored without consent)	Global

Data retention

Customer account data (email, plan)	Until account deletion + 30d grace
Scan history + findings	Free: 30d. Paid: plan-dependent (30-365d). Deletable on request.
Payment records (via Paddle)	7 years per tax-law baseline
API-key usage logs	90d for rate-limit + billing reconciliation
Auth session tokens	In-memory only; JWT expiry 7d

Security researcher acknowledgments

Researchers who reported validated issues. If you've found one and want to be listed, email security@sekrd.com.

No public acknowledgments yet — be the first.

Missing something you need for vendor review? Email security@sekrd.com with the specific framework control and we'll add the evidence here.

Trust center

Every claim we make about security is something we've published, audited, or scanned ourselves. This page links the evidence.

Compliance & attestations

GDPR-compliant data handling

active

View →

MITRE CWE-Compatible (applied)

in progress

Every finding ships with CWE, OWASP Top 10 2021, ASVS 4.0, and CVSS v3.1 mappings. Registration under review.

View →

Paddle Merchant of Record

active

All payment processing, tax collection, and invoicing handled by Paddle. We never see card data.

View →

SOC 2 Type 1

planned

Vanta engagement kicking off 2026-05. Target Type 1 attestation by end of Q3 2026.

Responsible disclosure policy

active

Safe harbor for good-faith research, RFC 9116 machine-readable contact, 90-day disclosure window, public hall-of-fame recognition.

View →

Weekly self-scan

active

Sekrd scans itself every Sunday. Latest report and score published below.

View →

GitHub Marketplace verified

active

Sekrd Deep Security Scanner is published on the GitHub Marketplace. Uploads SARIF to Code Scanning, posts PR comments, fails builds on configured severity.

View →

Operational status

Live status

Real-time health + 30-day uptime history, independently measured by UptimeRobot.

Live probe Uptime history ↗

Self-scan

We run Sekrd against sekrd.com every Sunday. The latest score is embedded below — the same score any user would get running a scan.

Latest self-scan badge. Live at /badge/sekrd-com.svg.

Subprocessors

Third parties we share data with. Listed for GDPR transparency and enterprise diligence.

Vendor	Purpose	Region
Paddle.com	Payments (Merchant of Record)	Global
Amazon Web Services	Compute, storage, email (SES)	eu-north-1
Cloudflare	CDN + DNS + Turnstile human verification	Global
onaiu.com SMTP	Transactional email (alerts, receipts)	Custom
NextAuth.js + Google/GitHub/GitLab OAuth	Third-party sign-in (email never stored without consent)	Global

Data retention

Customer account data (email, plan)	Until account deletion + 30d grace
Scan history + findings	Free: 30d. Paid: plan-dependent (30-365d). Deletable on request.
Payment records (via Paddle)	7 years per tax-law baseline
API-key usage logs	90d for rate-limit + billing reconciliation
Auth session tokens	In-memory only; JWT expiry 7d

Security researcher acknowledgments

Researchers who reported validated issues. If you've found one and want to be listed, email security@sekrd.com.

No public acknowledgments yet — be the first.

Missing something you need for vendor review? Email security@sekrd.com with the specific framework control and we'll add the evidence here.