Our Security

Last updated: March 2026

Security is foundational to everything we build. As a security intelligence platform, we hold ourselves to the highest standards for protecting your data and our infrastructure.

Jump to: InfrastructureData ProtectionAuthenticationNetworkScanning EthicsApplicationIncident ResponseBusiness ContinuityComplianceDisclosure

Our Security Commitment

As a platform that identifies security vulnerabilities in other organizations, we recognize the critical importance of securing our own systems. We apply the same rigorous standards to our infrastructure that we recommend to our customers. Our architecture is designed with defense in depth, least privilege, and zero trust principles at every layer.

TLS 1.3

In Transit Encryption

AES-256

At Rest Encryption

< 72h

Breach Notification

99.9%

Platform Uptime SLA

1

Infrastructure Security

AuditROI runs on a fully serverless architecture with no persistent servers to compromise. Every component is designed for isolation, immutability, and automated recovery.

Serverless Compute

AWS Lambda and Cloudflare Workers. No SSH, no persistent OS, no patch management. Functions execute in ephemeral, isolated containers that are destroyed after each invocation.

Immutable Deployments

All infrastructure deployed via CI/CD pipelines with no manual access to production. Every deployment is a fresh, versioned artifact, never patched in place.

Tenant Isolation

Each customer's scan data is stored in logically isolated environments with row-level security. No cross-account data access is possible at the infrastructure level.

Infrastructure as Code

All cloud resources defined declaratively in version-controlled templates. No manual configuration, no configuration drift, full auditability.

Zero Standing Access: No engineer has persistent access to production systems. All access is just-in-time, audited, and automatically revoked after the session ends.

2

Data Protection

All data is protected with industry-standard encryption at every stage of its lifecycle.

Encryption Layers

TLS 1.3

In Transit

All communications between clients and our APIs use TLS 1.3 with forward secrecy. Inter-service communication uses mutual TLS (mTLS).

AES-256

At Rest

All stored data (scan results, reports, user data, and backups) encrypted with AES-256. Database-level encryption with AWS-managed keys (KMS).

Isolated

In Processing

Scan engines operate in ephemeral containers. Data is processed in memory and never written to persistent disk unencrypted.

Data Classification

Classification Examples Protection
Critical API keys, passwords, scan credentials Encrypted, vault-stored, never logged
Confidential Scan results, vulnerability reports, customer domains Encrypted at rest, RBAC, tenant-isolated
Internal Usage analytics, system metrics, audit logs Encrypted at rest, access-controlled
Public Marketing content, documentation, pricing Integrity-verified, CDN-cached
3

Authentication & Access Control

Password Security

Passwords hashed with bcrypt (work factor 12). We never store plaintext passwords. Password strength requirements enforced at registration.

Session Management

Secure, HTTP-only session cookies with SameSite protection. Sessions automatically expire after inactivity. Concurrent session limits enforced.

API Authentication

Scoped API keys with granular permissions. Keys can be rotated at any time. All API calls authenticated and rate-limited per key.

Role-Based Access

Internal systems use RBAC with the principle of least privilege. Production access requires multi-person approval and is time-limited.

Enterprise Feature: Enterprise tier customers can configure SSO (SAML 2.0), enforce MFA for all team members, and set custom session policies.

4

Network Security

Multiple layers of network protection shield the platform from external threats.

DDoS Protection

Cloudflare Enterprise-grade DDoS mitigation with automatic traffic scrubbing. 330+ edge locations absorb volumetric attacks before they reach our infrastructure.

Web Application Firewall

Cloudflare WAF with custom rulesets blocks SQL injection, XSS, and other OWASP Top 10 attacks. Rules updated continuously against emerging threats.

Rate Limiting

Intelligent rate limiting at the edge prevents abuse and brute-force attacks. Per-IP and per-API-key limits with automatic throttling and blocking.

HTTPS OnlyHSTS EnforcedCSP HeadersX-Frame-OptionsX-Content-TypeReferrer-PolicyPermissions-Policy

All security headers configured and enforced across every endpoint.

5

Scanning Ethics & Responsible Use

AuditROI performs non-invasive, external-only scanning. We are committed to responsible, ethical security assessment practices.

What Our Scanners Do

Analyze publicly accessible web pages and APIs

Check DNS records, SSL/TLS certificates, and headers

Identify known CVEs in observable technology stacks

Assess security header configuration and best practices

Detect exposed services on standard ports

Cross-reference findings against threat intelligence feeds

What Our Scanners Never Do

Attempt to exploit discovered vulnerabilities

Access internal networks, databases, or file systems

Perform denial-of-service or load testing

Brute-force login pages or authentication endpoints

Inject payloads or modify target systems in any way

Scrape or store personal data found on scanned sites

Domain Authorization Required: Users must verify ownership or authorization for every domain submitted for scanning. Scans are rate-limited and respect robots.txt directives. Our scan traffic identifies itself with a recognizable User-Agent string.

6

Application Security

Security is embedded in our development lifecycle from design through deployment.

Design

Threat Modeling

New features undergo threat modeling before development begins. We identify attack surfaces and design mitigations proactively.

Code

Secure Development

Developers follow secure coding guidelines (OWASP). All code changes require peer review with security considerations as a review criterion.

Test

Automated Security Testing

CI/CD pipeline includes SAST (static analysis), dependency vulnerability scanning, and secret detection. Builds fail on critical findings.

Deploy

Immutable Releases

Artifacts are cryptographically signed. Deployments are atomic and reversible. Production access is separate from development.

Monitor

Runtime Protection

Application-level logging, anomaly detection, and real-time alerting on suspicious activity patterns.

Dependency Scanning

Automated daily scans of all dependencies for known vulnerabilities

Secret Detection

Pre-commit hooks and CI checks prevent secrets from entering the codebase

Input Validation

All user inputs sanitized and validated at API boundaries

7

Incident Response

We maintain a documented incident response plan with clear escalation procedures, communication protocols, and post-incident review processes.

Response Timeline

< 15 min

Detection & Triage

Automated monitoring triggers alerts. On-call engineer assesses severity and begins investigation.

< 1 hour

Containment

Isolate affected systems. Prevent further data exposure. Begin forensic evidence preservation.

< 4 hours

Assessment

Determine scope of impact. Identify root cause. Prepare stakeholder communication.

< 72 hours

Notification

Notify affected customers and relevant authorities per GDPR/NDB Scheme requirements.

< 14 days

Post-Mortem

Publish internal post-mortem with root cause analysis, timeline, and preventive measures.

Mandatory Breach Notification: In the event of a data breach involving personal information, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals under the Notifiable Data Breaches (NDB) scheme within 72 hours. EU customers are notified in accordance with GDPR Article 33/34 requirements.

8

Business Continuity & Disaster Recovery

Automated Backups

Daily

Continuous database backups with point-in-time recovery. Backups encrypted with AES-256 and stored in a separate AWS region.

Multi-Region

3 AZs

Critical services deployed across multiple availability zones. Automatic failover with no manual intervention required.

Recovery Time

< 4h RTO

Target RTO of 4 hours and RPO of 1 hour for critical services. Regular disaster recovery drills to validate recovery procedures.

Edge Caching

330+ PoPs

Static assets and API responses cached at 330+ Cloudflare edge locations. Platform remains accessible even during origin disruptions.

9

Compliance & Standards

AuditROI aligns with internationally recognized security frameworks and privacy regulations.

Privacy Act 1988 (Cth)

Regulation

Full compliance with Australian Privacy Principles (APPs) including the Notifiable Data Breaches scheme.

GDPR

Regulation

EU General Data Protection Regulation compliance for European customers. Data processing agreements available.

OWASP Top 10

Framework

Our development practices address all OWASP Top 10 risks. Our scanners also detect these vulnerabilities in customer assets.

NIST Cybersecurity Framework

Framework

Our security program is structured around the five NIST CSF functions: Identify, Protect, Detect, Respond, Recover.

PCI-DSS (Stripe)

Standard

Payment processing handled by Stripe, a PCI-DSS Level 1 certified service provider. We never store card data.

CIS Controls

Framework

Internal infrastructure hardened against CIS Benchmarks. Configuration baselines enforced via automation.

Enterprise Customers: We can provide security questionnaire responses, data processing agreements (DPAs), and detailed compliance documentation upon request. Contact hello@auditroi.com.

10

Responsible Disclosure

We welcome security researchers to responsibly report vulnerabilities in our platform. We believe in working collaboratively with the security community to keep our users safe.

How to Report a Vulnerability

1

Email your findings to hello@auditroi.com with a detailed description, steps to reproduce, and any proof-of-concept code.

2

Include the affected URL/endpoint, the type of vulnerability, and the potential impact.

3

We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.

4

We will work with you to understand and resolve the issue, and keep you informed of our progress.

Our Commitments

Acknowledge reports within 48 hours

Initial assessment within 5 business days

No legal action against good-faith researchers

Credit in our security advisories (if desired)

Timely remediation of confirmed vulnerabilities

Out of Scope

Social engineering or phishing of our employees

Denial-of-service attacks against our infrastructure

Automated vulnerability scanning without coordination

Accessing or modifying other users' data

Publicly disclosing before we've had time to remediate

Safe Harbor: We consider security research conducted in accordance with this policy to be authorized and will not initiate legal action against researchers who comply with these guidelines. We ask that you act in good faith, avoid privacy violations, and do not disrupt our services or compromise user data.

Contact Our Security Team

For security concerns, vulnerability reports, or compliance inquiries:

QuestFeed Pty Ltd

ABN: 58 632 013 855

Security: hello@auditroi.com

Privacy: hello@auditroi.com

Web: auditroi.com

Location: Queensland, Australia

Privacy Policy

How we collect, use, and protect your data

Terms of Service

Usage terms, subscriptions, and legal information

Document Version: 3.0 | Effective: March 2026