How we protect your server and your data

When you paste the command into your terminal, a lightweight script downloads and runs locally on your machine. We never access your server via SSH, never receive credentials, and have no remote access of any kind.

The agent detects your stack (operating system, Docker, Nginx, databases), runs security checks, and sends only the results to our API. When done, it deletes itself automatically.

It does send:

• Configuration states: whether admin SSH login is enabled, which ports are open, whether the firewall is active.
• Installed software versions (to detect known vulnerabilities).
• System metadata: Linux distribution, kernel version, active services.

It does not send:

• Server file contents.
• Environment variable values, passwords, or API keys.
• Database contents or application code.
• SSL certificates or private keys.

The agent is read-only. It does not change configuration, restart services, install packages, or create users. It reads system information to evaluate it, nothing more.

The script deletes itself when finished. Your server stays exactly as it was before the audit.

All communication between the agent and our API happens over HTTPS with TLS. Results travel encrypted in transit. No information is transmitted over unencrypted channels.

Check results are processed on our backend to generate a report in clear language. We use Claude API (Anthropic) to write the explanations and fix commands. The model receives only check results (states, ports, versions), not identifying server data beyond the distribution and detected services.

The paid audit includes an external port scan with nmap from our servers against your public IP. This shows which ports and services are visible from the internet, regardless of local firewall configuration. The scan runs once per audit.

Reports are stored in PostgreSQL with restricted access. Each report is only accessible by the email that requested the audit. We do not publish reports or share them with third parties. Reports are kept for 12 months.

Payments are processed entirely through Stripe. We do not store card numbers, CVVs, or banking details on our servers. Stripe is PCI DSS Level 1 compliant, the highest standard for payment processing security.

We are a new product. We believe transparency builds more trust than certifications:

• We do not have SOC 2 certification (yet). We will pursue it when our customer base justifies the investment.
• We have not done a formal external pentest (yet). We will commission one when we reach meaningful revenue and will publish the results.
• We do not roll our own cryptography. We use proven standards (TLS, AES-256, HTTPS).

This page always reflects our current state, not aspirations.

If you have questions about how the audit works or how we protect your data, email us at hello@securecodehq.com.