Security Overview

This document summarizes AutoExplore's main security, privacy, and continuity practices for prospects, customers, and partners.

Production access and customer data access are limited to authorized personnel who need access to operate, support, and improve the service.

1. Hosting and Infrastructure

AutoExplore operates its core service on Microsoft Azure.
Our primary Azure datacenter regions are Ireland and Sweden Central.
Public-facing services and APIs are protected through Azure networking and edge controls.
Infrastructure runs in secured and monitored Microsoft Azure datacenter environments.

HTTPS/TLS is used end-to-end for data in transit.
Data processed by the service is protected with strong encryption where appropriate.
Encryption and key management follow generally accepted security practices and controlled cloud security services.
Vulnerability assessments and security reviews are part of ongoing security management.

Security is considered throughout design, development, testing, and release.
AutoExplore uses continuous testing, including AutoExplore itself where applicable, to detect defects and regressions.
Dependencies and libraries are reviewed and updated regularly.
Known vulnerabilities in application code and dependencies are tracked and addressed based on severity and impact.

AutoExplore processes customer configuration data, scan results, report data, and related operational data.
The service stores screenshots, HTML snapshots, and related report artifacts from the Target Software.
Azure AI services may process scan outputs, page-derived text, screenshots, HTML snapshots, and issue descriptions needed to generate results.
Data is classified based on sensitivity.
Customer environments and customer data are kept logically separated.
Primary customer data hosting and AI processing regions are within the EU/EEA.
Data is retained only as long as the intended purpose, customer relationship, or applicable law requires.
We support applicable GDPR obligations, including access, rectification, deletion, and other relevant data subject rights.
Responsibility for information security and privacy oversight currently rests with the AutoExplore CEO.

Access is granted based on role and business need.
Least privilege is applied.
Access is reviewed, changed, and removed when no longer needed.
All AutoExplore user accounts require multi-factor authentication.
User logins are logged and monitored to detect malicious or suspicious access attempts.
Public API access is protected through layered controls, including edge validation and API key-based access controls.

AutoExplore uses Azure-native monitoring and diagnostics tooling for real-time visibility into service health and security-relevant events.
Login activity and other critical security-relevant actions are monitored in real time.
Logs are used for security, service reliability, troubleshooting, and misuse detection.
Log access is limited to authorized personnel with a work-related need.
Log access is controlled and supervised as part of our security practices.
Logs are retained for a defined period based on security, operational, troubleshooting, and legal requirements.
Logs are protected against unauthorized access and unauthorized modification.
Logs are used only for predefined security, operational, and compliance purposes.
Logging and telemetry are configured to reduce unnecessary exposure of secrets and sensitive parameters where applicable.
Incidents are handled based on severity and impact, with containment, recovery, root-cause analysis, and follow-up actions.
Customers are informed of relevant security incidents where required by contract, law, or the nature of the incident.

Critical data is backed up using Azure automated backup and recovery tooling.
Recovery capabilities are maintained and tested.
Infrastructure recovery is supported by version-controlled Microsoft Bicep templates and data backups.
Third-party dependencies are considered in continuity planning.

Selected third-party providers support service delivery and business operations.
Relevant security, confidentiality, and data protection terms are applied where needed.
The current public Subprocessor List is maintained.
We share relevant security and supplier information with prospects and customers and communicate relevant service and security changes where applicable.

The CEO is responsible for overall information security, privacy oversight, supplier oversight, risk decisions, and incident escalation.
Personnel are required to follow approved security practices and report incidents or weaknesses without delay.
This overview and supporting practices are reviewed at least annually and when significant changes occur.

For security or privacy questions, contact info@autoexplore.ai