Secureless scans other people's security. So ours has to be right.

Here is what is in place, how your data is protected, and what the scan looks like when pointed at itself.

secureless.ai security grade

A

Scanned with the same tool. Updated monthly.

Security controls in place

HSTS with preload and includeSubDomains
Content Security Policy (CSP)
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy restricting camera, microphone, geolocation
DMARC policy at reject
SPF with hardfail
DKIM signing enabled
CAA records restricting certificate issuance
Rate limiting on all API endpoints
security.txt with contact and disclosure policy
No source maps in production
UUIDs for all identifiers (no sequential IDs)
All secrets in environment variables, never in code

Where your data is processed

Application hostingRailwayEU
DatabasePostgreSQL on RailwayEU
Scan processingHetzner CloudFrankfurt, Germany
EmailResendIreland, EU
AuthenticationClerkUS (auth only, no scan data)
PaymentsStripeEU

Data retention

Scan results are retained for 13 months to support trend analysis. After 13 months, raw scan data is deleted and only aggregate scores and finding counts are kept. You can request deletion of your data at any time via privacy@secureless.ai.

Responsible disclosure

Found a security issue in secureless.ai? Report it to security@secureless.ai.

security.txt: /.well-known/security.txt

Privacy PolicyTerms of Service

Cookie information

This site uses strictly-necessary cookies for authentication (Clerk) and bot protection (Cloudflare). No tracking, advertising, or analytics cookies are set, so no consent is required. Details in our privacy policy.