Security and trust at AuditWard
A scanner is only as trustworthy as its authorization model. AuditWard points active security tooling at live systems, so the first thing that matters is making sure those systems belong to the person asking for the scan. This page walks through how we verify authorization, how the scanner behaves on a target, how we encrypt your data, and what we honestly do not claim today.
How a scan is authorized.
Scans only run against targets the requesting customer is authorized to test. Before full scans are permitted, customers verify domain ownership with a DNS TXT record, so a domain has to be proven before the heavy tooling ever touches it.
The customer publishes a DNS TXT record we provide. Until that record is found, the domain stays unverified and the full tooling will not run against it.
Every scan session records an authorization audit trail: which domain was verified, who authorized it, and when. If a scan is ever questioned, that trail is the answer.
Unverified domains are limited to a small set of lightweight, passive checks. The full active tooling, including port scanning, directory discovery, and vulnerability templates, runs only after a domain is verified.
For the operator view of how scans are authorized, see the scanner page.
How our scanner behaves.
When the scanner does run, it stays identifiable and restrained. You can spot it in your logs, throttle it, or block it, and it follows the rules a well-behaved client should.
A published identity
The scanner identifies itself with a fixed, published User-Agent: AuditWard/1.0 (+https://auditward.com/scanner). That string is the authoritative way to recognize our traffic.
Restrained load
Requests are rate-limited and concurrency is capped, and scan creation is throttled, to keep load low on target systems.
Respects robots.txt
Paths disallowed by a site robots.txt are excluded from crawl-based discovery, so the scanner stays out of the areas you have marked off.
No destructive testing
AuditWard does not perform denial-of-service or flooding tests, and we commit to reporting takeover-style weaknesses only, never exploiting them.
The full behavior reference, including how to read our requests in your logs, lives on the scanner page.
Permanent opt-out for resource owners.
A global scan opt-out registry is checked before any scan starts. Opted-out resources are never scanned, for any customer, and the opt-out is permanent and platform-wide. If you own a system and never want it touched, that decision sticks no matter who later asks to scan it.
To opt a domain out, follow the steps on the scanner page or email security@auditward.com with proof you control the resource.
How we protect your data.
The most sensitive data you hand us is the credentials for authenticated scans. We treat those, and everything else, with encryption in transit and at rest.
| What | How it is protected |
|---|---|
| Scan credentials and answers | Login credentials and answers supplied for authenticated scans are encrypted and stored only in encrypted form, never in plaintext. |
| Account passwords and access tokens | Account passwords are protected with one-way hashing. API and MCP access tokens are never stored in plaintext; we keep only a hashed form and cannot recover the original token. |
| Data in transit and hosting | Data is encrypted in transit with TLS, and customer scan data is hosted on AWS infrastructure in the United States. |
| Scan artifacts | Screenshots, reports, and tool output are stored in AWS S3 and served through short-lived, signed links that expire automatically. |
| Compute isolation | Scanning runs on isolated AWS infrastructure, and we can pause scanning platform-wide if we ever need to. |
| Abuse-prevention identifier | Abuse prevention uses a privacy-preserving identifier derived on our servers, not a browser tracking script. We do not place tracking cookies for this purpose. |
The full detail sits in the Privacy Policy and the Data Processing Agreement.
AI processing, and no training on your data.
AuditWard uses an LLM to triage findings and reason about pages. That processing is scoped tightly, and your data stays yours.
One inference provider
Only Amazon Bedrock processes scan and page content for AI analysis. AuditWard logs AI usage metadata (model, token counts, cost) only, not prompt or response content.
Never used to train models
Customer scan data, findings, evidence, artifacts, and credentials are never used to train, fine-tune, or benchmark any AI model, and the AI inference sub-processor is contractually restricted from doing so.
See the Privacy Policy and Data Processing Agreement for the contractual terms.
Data retention and your control.
We hold scan data for as long as it is useful to you, then clear it out. You can also remove it yourself at any time.
Intermediate artifacts expire
Intermediate scan artifacts (raw tool output and per-step screenshots) are automatically deleted 90 days after a scan runs.
Deletion and return
On account deletion or a documented request, Customer Data is deleted or returned within 30 days unless retention is required by law. You can also delete sessions, findings, and artifacts from the dashboard yourself.
Cookieless analytics
The landing site uses cookieless, privacy-focused Umami analytics and sets no consent-requiring cookies. It does not use cookie-based analytics like Google Analytics or Contentsquare.
You stay in control
Between automatic expiry and dashboard self-service, you decide what stays and what goes. Nothing lingers past the windows above unless the law requires it.
Retention windows and your rights are written out in the Privacy Policy.
Sub-processors and data location.
AuditWard publishes its full sub-processor list (AWS, Mailgun, Stripe, Umami, Sentry) with processing locations and Standard Contractual Clause transfer safeguards. New sub-processors come with 30-day advance notice and a right to object, and customer scan data is processed in the United States.
The current list, with locations and safeguards, is on the sub-processors page.
Responsible disclosure.
If you find a security issue in AuditWard itself, we want to hear about it. We run a responsible disclosure program with a safe harbor, a defined scope, and clear response targets, plus a machine-readable security.txt so you can find the right contact fast.
Safe harbor and scope
Good-faith research within the defined scope is covered by a safe harbor, so you can report what you find without worrying about reprisal.
Response targets
We acknowledge a report within 48 hours and triage it within 5 days, and a machine-readable security.txt points you to the right contact.
Recognition, not bounty
There is no paid bug bounty. Researchers who report valid issues get recognition for the work.
Read the program terms and how to submit on the responsible disclosure page.
What compliance tagging actually gives you.
AuditWard tags each finding to SOC 2, PCI DSS 4.0, GDPR, OWASP Top 10, HIPAA, and ISO 27001 as a product feature to help you gather evidence. Read that for what it is. The tags point you at the controls a finding relates to so you can build your own evidence package.
This is evidence support, not a certification. AuditWard does not hold those certifications and is not a PCI Approved Scanning Vendor. Tagging a finding to a framework does not make you compliant.
See what each framework tag covers, and where it stops, on the compliance overview.
For security and procurement teams.
Running a vendor review? Start with the documents that answer most questionnaires: the Data Processing Agreement, the Privacy Policy, and the sub-processors list. For anything they do not cover, email security@auditward.com or contact@auditward.com.
We would rather you find the gaps here than in a sales call, so here is what AuditWard does not claim today. We do not have a SOC 2 or ISO 27001 certification or report. There is no uptime or availability SLA, and no paid bug bounty. If your review needs one of those, we will tell you plainly that we do not have it yet.
Security questions.
Is it legal and safe to let AuditWard scan my site?
Scans only run against targets the requesting customer is authorized to test, and you have to verify domain ownership with a DNS TXT record before the full tooling runs. Every session records who authorized the scan and when. The scanner is rate-limited with capped concurrency, respects your robots.txt, identifies itself with a published User-Agent, and never runs denial-of-service or flooding tests.
How do I stop AuditWard from scanning a domain I own?
A global opt-out registry is checked before any scan starts. Email security@auditward.com with proof you control the resource, and once we verify it we add it to the registry. The opt-out is permanent and platform-wide, so the domain is never scanned again for any customer.
Where is my scan data stored and for how long?
Customer scan data is hosted on AWS infrastructure in the United States, encrypted in transit with TLS, and artifacts in S3 are served through short-lived, signed links that expire automatically. Intermediate artifacts such as raw tool output and per-step screenshots are deleted 90 days after a scan runs. On account deletion or a documented request, Customer Data is deleted or returned within 30 days unless retention is required by law, and you can delete sessions, findings, and artifacts from the dashboard yourself.
Do you use my data or credentials to train AI models?
No. Only Amazon Bedrock processes scan and page content for AI analysis, and we log usage metadata (model, token counts, cost) only, not prompt or response content. Your scan data, findings, evidence, artifacts, and credentials are never used to train, fine-tune, or benchmark any AI model, and our AI inference sub-processor is contractually restricted from doing so.
Is AuditWard SOC 2 or ISO 27001 certified?
No. AuditWard does not hold a SOC 2 or ISO 27001 certification or report. What we offer is finding-level tagging to SOC 2, ISO 27001, and other frameworks as a product feature to help you gather evidence, which is evidence support and not a certification. For a vendor review, see the Data Processing Agreement and the sub-processors list, and email security@auditward.com with anything they do not cover.