Security Policy
SiteScanReport LLC
Effective Date: May 26, 2026
Last Updated: May 26, 2026
---
This Security Policy describes the technical and organizational safeguards SiteScanReport LLC ("SiteScanReport") maintains to protect the data and systems that support the Service at sitescanreport.com.
---
Infrastructure Security
Cloud Infrastructure. The Service runs entirely on infrastructure hosted by Amazon Web Services (AWS) in the us-east-1 (N. Virginia) region. AWS maintains SOC 2 Type II, ISO 27001, PCI DSS Level 1 service provider validation, and FedRAMP authorizations. Details are available at aws.amazon.com/compliance.
Encryption at Rest. Customer email addresses, submitted URLs, scan metadata, scan results, and report PDFs stored in Amazon S3 are encrypted at rest using AES-256 via AWS Key Management Service (KMS). Access to stored data and related encryption controls is restricted to the system components and administrative access paths that require it.
Encryption in Transit. Data transmitted between the Service and end users is encrypted using TLS 1.2 or higher. Connections to third-party service providers used to operate the Service are made over industry-standard encrypted channels.
Secrets Management. API credentials and service keys used for payment-related operations, transactional email, and AI-assisted report generation are stored in AWS Secrets Manager and retrieved only by authorized service components as needed.
Access Controls. Each component of the Service operates under a dedicated AWS IAM role with permissions limited to the minimum necessary for its function. No component has broad or shared access to system resources.
---
Payment Security
SiteScanReport uses Stripe, Inc. and Stripe Checkout to process payments. Payment card data is collected and processed through Stripe-hosted checkout infrastructure. SiteScanReport does not store, process, or have direct access to full payment card numbers or CVV codes on its own systems or servers.
---
Application Security
Webhook Security. Stripe Checkout and payment webhooks are validated using HMAC-SHA256 signature verification before processing. Requests with invalid or missing signatures are rejected.
Abuse Prevention. The Service maintains technical measures designed to reduce abusive, automated, or disruptive use of public-facing endpoints.
Dependency Management. Third-party software dependencies are tracked and reviewed for known security vulnerabilities, and applicable security updates are applied based on operational needs and risk.
---
Data Handling
Minimal Data Collection. We collect only the information necessary to deliver the Service, including your email address, the URL you submit, and order metadata. We do not collect payment card data. See our Privacy Policy for additional detail.
Data Retention. Customer email addresses are retained as long as needed to support refunds and legal recordkeeping. Submitted URLs, scan metadata, scan results, and report PDFs are retained in AWS S3 for 7 years consistent with SiteScanReport's recordkeeping practices. Payment-related records maintained by SiteScanReport are retained as long as needed to support refunds and legal recordkeeping. Payment records and payment card data retained by Stripe are subject to Stripe's policies.
No Data Selling. We do not sell, rent, or share customer data with third parties for advertising, marketing, or any commercial purpose unrelated to delivering the Service.
---
Operational Security
Monitoring and Alerting. The Service uses AWS CloudWatch and automated alerting to monitor errors, failures, and other anomalous operating conditions and to notify the operator when investigation or action is required or may be required.
Incident Response. SiteScanReport maintains internal procedures for identifying, investigating, containing, and remediating security incidents, including incidents involving customer data, and continues to develop those procedures over time. If a security incident requires notice under applicable law, we will provide notice to affected customers and, where required, applicable authorities in accordance with applicable law.
Vulnerability Disclosure. If you discover a security vulnerability in the Service, please report it to support@sitescanreport.com. We ask that you provide us a reasonable opportunity to investigate and remediate the issue before any public disclosure. We do not pursue legal action against researchers who report vulnerabilities in good faith.
---
Third-Party Service Providers
We use the following third-party service providers in delivering the Service. As described in our Privacy Policy, these providers currently include AWS, Stripe, Postmark, Anthropic, and Qualys SSL Labs.
Provider | Purpose | Security Information |
Amazon Web Services (AWS) | Cloud infrastructure and storage | aws.amazon.com/security |
Stripe, Inc. | Payment processing and hosted checkout | stripe.com/security |
Postmark (ActiveCampaign, LLC) | Transactional email | postmarkapp.com/security |
Anthropic, PBC | AI-assisted narrative generation | anthropic.com/security |
---
Questions
Security questions or vulnerability disclosures may be sent to support@sitescanreport.com.
---
SiteScanReport LLC
support@sitescanreport.com
sitescanreport.com