Security & Compliance

Effective Date: June 2026

Architecture Overview

TrustSniffer operates as an isolated modular monolith deployed on dedicated infrastructure. All analysis workloads run in ephemeral containers with no shared tenancy. Blockchain data is processed deterministically — we never store private keys, seed phrases, or custody assets on behalf of users.

The Web Intelligence engine executes headless browser sessions in sandboxed worker processes with restricted network egress. DOM rendering, JavaScript execution, and screenshot capture occur in isolated Playwright contexts that are destroyed after each scan. No target-site cookies, credentials, or session tokens are persisted.

Our infrastructure is segmented into three security zones: the public API gateway (TLS-terminated), the processing plane (no inbound internet access), and the storage layer (encrypted at rest, network-isolated).

Data Encryption

In Transit

All connections enforce TLS 1.3 with modern cipher suites. HTTP Strict Transport Security (HSTS) is enabled with a minimum max-age of one year. WebSocket connections use WSS exclusively.

At Rest

All persistent storage volumes use AES-256-GCM encryption. Database backups are encrypted with separate key material rotated quarterly. Artifact storage (analysis outputs) is encrypted per-tenant with unique data encryption keys wrapped by a master key stored in a hardware security module (HSM).

Compliance & Certifications

  • SOC 2 Type II — Audit in progress. Expected completion Q3 2026.
  • ISO 27001 — Readiness assessment complete. Formal certification planned Q4 2026.
  • GDPR — Fully compliant. Data Processing Agreements available on request.
  • CCPA — Compliant. We do not sell personal information.

Vulnerability Reporting & Bug Bounty

We welcome responsible security research. If you discover a vulnerability in our platform, please disclose it responsibly:

Email: security@trustsniffer.com

PGP Key: Available on request

Scope: API, WebSocket, and web application vulnerabilities

We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days. Critical vulnerabilities in production are eligible for monetary reward under our private bug bounty program.