Security · atlookup

/ 01

Encryption in transit

All traffic to and from atlookup is encrypted with TLS (HTTPS). Plain HTTP requests are redirected to HTTPS, so data between your browser and our servers is never sent in the clear.

HTTPS enforced across the app, API, and marketing pages.
Modern TLS; legacy protocols are not offered.
Security-relevant response headers (e.g. strict transport, content-type protections) are applied.

/ 02

Accounts & sessions

Account credentials and sessions are handled with defense-in-depth:

Passwords are salted and hashed with a strong one-way algorithm — we cannot read or recover your plain password.
Session cookies are flagged Secure, HttpOnly, and SameSite to resist theft and cross-site misuse.
CSRF protection guards state-changing form submissions.
Sign-in supports email/password and Google OAuth; you can sign out to end a session at any time.

/ 03

Payment security

We never touch your card. Payments are processed by a PCI-DSS compliant payment processor. Card numbers and related sensitive data are entered with and stored by the processor — atlookup never sees or stores them. We retain only the minimum needed to associate a subscription with your account (e.g. plan, status, and the processor’s reference).

/ 04

Data handling

We practise data minimization — we collect only what the Service needs:

Your email and a password hash (or OAuth identifier).
The URLs you crawl and the resulting audit reports.
Basic operational logs needed to run and secure the Service.

We do not sell your data or use your private crawl content to train external models. Retention and your rights (access, export, deletion) are covered in our Privacy Policy, and cookie use in our Cookie Policy.

/ 05

Infrastructure & access

The Service runs on reputable cloud infrastructure. We limit who can access production systems and data to what’s necessary to operate and support the product.

Access to production is restricted and authenticated.
Dependencies are kept up to date; we monitor for known vulnerabilities and patch promptly.
Backups are taken so your data can be recovered in case of failure.

/ 06

Responsible disclosure

We welcome reports from security researchers. If you believe you’ve found a vulnerability, please tell us before disclosing it publicly so we can fix it.

How to report

Email us — we’ll acknowledge and work with you on a fix.

Email: [email protected]
Or via our contact page (mark it “Security”).
Machine-readable policy: /.well-known/security.txt

Safe harbor. If you make a good-faith effort to comply with this policy during your research, we will consider it authorized, will not pursue legal action against you, and will work with you to understand and resolve the issue quickly.

Please do give us reasonable time to remediate before public disclosure, avoid privacy violations and data destruction, and only test against your own account.

Please don’t run denial-of-service attacks, spam, social-engineer our team, or access data that isn’t yours.

/ 07

Compliance roadmap

We’re honest about where we are. atlookup is a growing product, and we’ll claim formal certifications only when they’re real — not before.

On the roadmap: Formal third-party certification (e.g. SOC 2 / ISO 27001) is planned as we scale. Until then, the practices on this page describe what is genuinely in place. If you have a specific compliance requirement, talk to us — we’re happy to share details.

Questions about our security practices? Reach us at [email protected] or via /contact.

Security at atlookup.