Security is at the core of everything we build. Here is how CompliPilot protects your data and your scans.
All data in transit is encrypted using TLS 1.3. We enforce HSTS with preload and automatic HTTPS redirection across all endpoints.
Scanned URLs and results are processed in real-time and not stored permanently unless you opt-in via a dashboard account. We never share data with third parties.
Our scanner validates and sanitizes all target URLs before processing. Internal network addresses, localhost, and private IP ranges are blocked to prevent Server-Side Request Forgery attacks.
API and scan requests are rate-limited per IP and per account to prevent abuse. Free tier: 10 scans/day. Pro plans have higher limits with DDoS protection.
CompliPilot is fully GDPR-compliant. We provide data export, deletion on request, and transparent data processing policies. Our DPA is available for enterprise customers.
Strict CSP headers prevent XSS attacks, clickjacking, and unauthorized script injection. We also set X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers.
User accounts are protected with bcrypt-hashed passwords, session management, and optional two-factor authentication. API keys are securely generated and can be revoked at any time.
Hosted on Vercel's globally distributed edge network with automatic failover, DDoS protection, and SOC 2 Type II compliance. All infrastructure is managed and monitored 24/7.
If you discover a security vulnerability, please report it responsibly via security@complipilot.dev. We take all reports seriously and will respond within 48 hours.