ScamLens

Trung tâm Tin cậy — ScamLens

Tình trạng bảo mật, quyền riêng tư, khả năng truy cập và tuân thủ của ScamLens.

GDPRCCPA / CPRAPCI DSSWCAG 2.2 AA · TargetSOC 2 Type II · In progress

Data protection

Encryption

TLS 1.2+ enforced everywhere (HSTS preload, 1-year). API keys encrypted at rest with AES-256-GCM.

Isolation

Cloudflare Zero Trust edge + D1 namespace isolation per project. Secrets rotation every 90 days.

Data minimization

No user-submitted content is shared with third parties beyond documented threat-intelligence aggregations.

Retention

Threat-intelligence data: permanent (anti-fraud public good). Operational data (logs, rate-limits): 90 days max.

GDPR (EU / UK)

Lawful basis documented per processing purpose. Data Processing Agreement (DPA) available on request. EU users can request access, correction, deletion, and portability under Articles 15-20. Contact the privacy page or email [email protected].

CCPA / CPRA (California)

Do-Not-Sell signal honored (via Global Privacy Control + page-level toggle). DSAR turnaround within 45 days. California residents can request disclosure, deletion, and opt-out of sale/share.

PCI DSS

ScamLens does not store or transmit cardholder data. All payments are processed by Stripe (PCI DSS Level 1 service provider). Tokens and receipts are stored, never PANs.

Accessibility (WCAG 2.2 AA)

Targeting WCAG 2.2 Level AA across all user-facing surfaces — aligned with U.S. Section 508 and EU EN 301 549 V3.2.1 procurement standards. Full posture and known gaps at /accessibility. VPAT available for public-sector procurement on request.

SOC 2 Type II (In progress — 2026 Q3)

Audit engagement scheduled for 2026 Q3 (Availability, Security, Confidentiality trust service criteria). Interim controls are in place: multi-factor admin auth, encrypted-at-rest secrets, 99.9%+ availability target, incident response SOP, quarterly penetration testing, and third-party vulnerability disclosure program (see VDP).

Enterprise buyers evaluating ScamLens pre-SOC 2 completion may request a customer-level attestation letter covering the current control environment. Email [email protected].

Vulnerability disclosure

We welcome good-faith security research. See /security for contact, acknowledgment policy, and safe-harbor terms. Machine-readable summary at /.well-known/security.txt.

Procurement contact

Financial institutions, government agencies, and enterprise buyers: request the current compliance packet (DPA, VPAT draft, SOC 2 status letter, DPIA, infosec questionnaire response) from [email protected], or submit a structured inquiry at /contact-sales.