Security Statement
Effective date: June 28, 2026 · Last updated: June 28, 2026 · Version 1.0
PRE-CERTIFICATION — Compliant with ISO/IEC 27001 Annex A control objectives and ISO/IEC 27701 PIMS principles. Formal third-party certification in progress.

Our Commitment

RAPTOR™ LLM Scanner is currently operated by its founder as an individually-operated platform, pending completion of formal business entity formation. Security and privacy are foundational to how we build, not an afterthought bolted on after launch. This page documents our current technical and organizational controls, and our roadmap toward formal ISO/IEC 27001 (Information Security Management) and ISO/IEC 27701 (Privacy Information Management) certification.

We are compliant with the control framework but not yet ISO certified. Our technical and organizational controls are built in direct alignment with the ISO 27001 Annex A control objectives and the ISO 27701 PIMS extension. Formal third-party certification — the independent audit that results in an official ISO certificate — is planned for Sprint 23 and beyond, once revenue supports the audit cost. Until that audit is complete, we do not claim to hold an ISO certificate, only that our practices are built to meet the standard's requirements.

Infrastructure & Technology Stack

LayerProviderPurpose
CDN / DNS / DDoSCloudflareEdge security, TLS termination, traffic routing
Frontend HostingCloudflare PagesStatic site delivery, auto-deploy from GitHub
Backend ComputeDocker on private VM (Florida)API server, isolated container runtime
DatabaseSupabase (AWS-backed)User accounts, subscription state
PaymentsStripePCI DSS Level 1 certified payment processing
Source ControlGitHubVersion control, deployment trigger
Infra AccessTailscale VPNZero-trust network access — no public SSH exposure
EmailBrevo (SMTP relay)Transactional and domain-authenticated email

Current Controls — Mapped to ISO 27001 Annex A

A.5 — ORGANIZATIONAL
Information Security Policies
Documented Privacy Policy and Security Statement published and version-controlled.
LIVE
A.5 — ORGANIZATIONAL
Data Controller Designation
Platform founder formally designated as Data Controller for all subscriber and advertiser PII pending business entity formation.
LIVE
A.6 — PEOPLE
Single Operator Accountability
Solo-operated infrastructure under direct founder accountability with documented access procedures.
LIVE
A.7 — PHYSICAL
Cloud Infrastructure Only
No on-premise physical servers holding production PII. All compute via reputable cloud providers with their own physical security certifications.
LIVE
A.8 — TECHNOLOGICAL
Encryption in Transit
TLS/HTTPS enforced on all public-facing connections via Cloudflare.
LIVE
A.8 — TECHNOLOGICAL
Access Control
Infrastructure access restricted to Tailscale VPN. No public SSH exposure. Credential-based GitHub auth with personal access tokens.
LIVE
A.8 — TECHNOLOGICAL
Password Storage
Bcrypt salted hashing for all stored credentials. Plaintext passwords never stored or logged.
SPRINT 7
A.8 — TECHNOLOGICAL
Payment Data Isolation
Full card data never touches RAPTOR servers. Stripe handles PCI DSS Level 1 compliant processing entirely.
SPRINT 8
A.5 — ORGANIZATIONAL
Data Processing Agreements
DPAs in place with Stripe, Cloudflare, and Supabase governing processor obligations.
LIVE
A.8 — TECHNOLOGICAL
Logging & Monitoring
Server logs retained 30 days for security monitoring and incident investigation.
LIVE
A.5 — ORGANIZATIONAL
Incident Response Procedure
Breach notification commitment of 72 hours to affected users, in line with GDPR Article 33 timelines.
LIVE
A.5 — ORGANIZATIONAL
Data Retention Schedule
Documented retention periods per data category — published in Privacy Policy Section 6.
LIVE

Compliance Roadmap

NOW
Foundational documentation — Privacy Policy, Security Statement, Data Processing Agreements with all processors. Controller designation will be formalized under a registered business entity upon completion of pending business formation.
SPRINT 4
Backend architecture & cloud diversity decision — Frontend (Cloudflare Pages) and database (Supabase/AWS) are already independent of single-point-of-failure home infrastructure. Open decision: whether backend API logic runs as a long-running Express server on the Florida VM (single point of failure during local outages) versus Supabase Edge Functions or Cloudflare Workers (globally distributed, no dependency on residential power/network). To be resolved before Sprint 4 build begins.
SPRINT 7-8
Authentication & payments hardening — JWT auth with bcrypt password hashing, Stripe integration with PCI-compliant tokenization, audit logging on all account actions.
SPRINT 19
Pre-acquisition security audit — Internal review of all controls ahead of acquisition conversations, ensuring buyer due diligence is friction-free.
SPRINT 23+
Formal ISO/IEC 27001 certification — Gap analysis, Information Security Management System (ISMS) implementation per Clause 4 (Context of Organization) and Clause 8 (Operations), full Annex A control implementation, third-party certification audit.
SPRINT 24+
ISO/IEC 27701 PIMS extension — Privacy Information Management System layered on the certified ISMS, covering controller-specific obligations for subscriber and advertiser data under GDPR, CCPA, and other applicable privacy regimes.

Reporting a Security Issue

If you believe you've discovered a security vulnerability in RAPTOR™ LLM Scanner, please report it responsibly to [email protected]. We commit to acknowledging reports within 48 hours and will work with you in good faith to understand and resolve the issue before any public disclosure.

Please do not test for vulnerabilities against production systems in ways that could degrade service for other users. Responsible disclosure is appreciated and will be credited if desired.

Questions

For security-related inquiries, vendor due diligence questionnaires, or advertiser security reviews, contact [email protected]. For privacy and data rights requests, see our Privacy Policy or contact [email protected].