Security
Security is at the core of everything we build. Here is how CompliPilot protects your data and your scans.
HTTPS & TLS Encryption
All data in transit is encrypted using TLS 1.3. We enforce HSTS with preload and automatic HTTPS redirection across all endpoints.
Data Protection & Privacy
Scanned URLs and results are processed in real-time and not stored permanently unless you opt-in via a dashboard account. We never share data with third parties.
SSRF Prevention
Our scanner validates and sanitizes all target URLs before processing. Internal network addresses, localhost, and private IP ranges are blocked to prevent Server-Side Request Forgery attacks.
Rate Limiting
API and scan requests are rate-limited per IP and per account to prevent abuse. Free tier: 10 scans/day. Pro plans have higher limits with DDoS protection.
GDPR Compliance
CompliPilot is fully GDPR-compliant. We provide data export, deletion on request, and transparent data processing policies. Our DPA is available for enterprise customers.
Content Security Policy
Strict CSP headers prevent XSS attacks, clickjacking, and unauthorized script injection. We also set X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers.
Authentication Security
User accounts are protected with bcrypt-hashed passwords, session management, and optional two-factor authentication. API keys are securely generated and can be revoked at any time.
Infrastructure
Hosted on Vercel's globally distributed edge network with automatic failover, DDoS protection, and SOC 2 Type II compliance. All infrastructure is managed and monitored 24/7.
Report a Vulnerability
If you discover a security vulnerability, please report it responsibly via security@complipilot.dev. We take all reports seriously and will respond within 48 hours.