Certifications
SOC 2 Type II audit is in progress, expected Q2 2026. We follow the AICPA Trust Services Criteria for security, availability, and confidentiality.
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Customer-specific encryption keys are managed in AWS KMS with automatic rotation.
Permission inheritance
FlareScan never widens access. Document-level permissions from your source tools are mirrored in our index and re-checked at query time. If access changes upstream, the change propagates within minutes.
Zero query retention
User queries are processed in memory and never persisted beyond the time required to return a response. Diagnostic logs are stripped of query content before storage.
Independent testing
We engage third-party security firms for annual penetration tests and continuous attack-surface monitoring. Reports are available under NDA on request.
Bug bounty
Responsible disclosure is rewarded. We pay between $250 and $10,000 depending on severity. See our public scope at security@flarescan.ai.
Sub-processors
- Amazon Web Services — hosting (us-east-1, eu-west-1)
- Cloudflare — edge networking and DDoS protection
- OpenAI / Anthropic — inference (zero-retention enterprise contracts)
- Postmark — transactional email
- Sentry — error monitoring