For security & compliance reviewers · Updated 10 May 2026

Data Handling & Compliance

Everything AttackMap collects when you run a scan, where it's hosted, how it's encrypted, who can see it, and exactly when it's deleted. Written so a security analyst can clear AttackMap for a one-off audit in five minutes.

TL;DR for compliance

One-off use only. AttackMap is sold as a single scan, not a recurring service. No account, no persistent customer record, no mailing list.
No PII collected from scanned sites. We only read what's already public at your URL.
Only the URL and your email leave your browser. Email is required only at the $29 paid step.
All data is purged within 7 days of the scan completing. Server logs in 30.
All subprocessors are major US/EU vendors with SOC 2 / ISO 27001 / PCI-DSS attestations: Cloudflare, Stripe, Railway, Microsoft 365, Anthropic.
No analytics, no third-party trackers, no advertising cookies on attackmap.org.
We are not SOC 2 certified ourselves. AttackMap is operated as a sole-proprietor service. For audits requiring SOC 2 from your scanner vendor, AttackMap isn't the right fit. For one-off security spot-checks of a single URL, it is.

What we collect

The minimum set required to deliver the product:

Scan URL. The single URL you submit. Held in memory while the scan runs, then released. Never written to disk.
Email address. Provided only via Stripe Checkout when you pay $29. Used solely to deliver the report (and refund/support correspondence you initiate).
Scan output. The report we generate from your URL — security headers, exposed paths, CVE matches, etc.
Server logs. Request IP + timestamp for rate-limiting and abuse prevention. Not correlated with email or identity.
Payment metadata. Handled entirely by Stripe. AttackMap never sees, stores, processes, or has access to your card number, CVV, or full billing address.

We do not collect: phone numbers, names, company information, employer, IP geolocation for marketing, browser fingerprints, device IDs, or any third-party identifier. We run zero analytics packages on attackmap.org.

Where it lives (data residency)

Data	Where stored	Region	Retention
Scan URL in-memory only	Railway application container	US (us-west2)	Discarded at scan end (seconds)
Cached scan summary repeat-scan acceleration	In-process RAM cache (no disk)	US (us-west2)	1 hour TTL, then evicted
Paid report (Markdown + JSON)	Cloudflare R2, bucket attackmap-reports	Cloudflare auto-distributed (US/EU)	7 days, then auto-deleted
Customer email + receipt	Stripe	US (Stripe primary region)	Per Stripe retention (regulatory: ~7 yrs for payment records)
Outbound email (the report itself)	Microsoft 365 / Exchange Online, reports@attackmap.org	US (M365 commercial tenant, us-east)	Sent items kept indefinitely unless deleted; no separate copy by AttackMap
Server access logs IP + timestamp	Railway log retention	US (us-west2)	30 days, then rotated/purged
Report polish API call	Anthropic API (Claude)	US	Zero retention — not stored after response per Anthropic API terms
Source code, configuration	GitHub ClifMH/betteroff (private repo)	US	Indefinite

Encryption

In transit: TLS 1.3 (or TLS 1.2 minimum). Enforced via Cloudflare. HSTS with max-age=31536000; includeSubDomains.
At rest:
- Cloudflare R2: AES-256 server-side encryption, Cloudflare-managed keys.
- Railway: encrypted volumes (AWS EBS-style, AES-256).
- Stripe: PCI-DSS Level 1 storage, Stripe-managed keys.
- Microsoft 365: BitLocker + per-file encryption (Microsoft-managed keys; customer-key option available but not enabled at our scale).
- GitHub: AES-256 at rest, GitHub-managed keys.
Secrets in our service: all credentials (Stripe keys, M365 app secret, R2 keys, Anthropic key) live in Railway environment variables, encrypted at rest, never committed to git, never logged.

Subprocessors

Each vendor below sees only the data it needs to do its job. None of them have a unified view of your scan + identity + payment.

Cloudflare DNS · CDN · R2 storage

SOC 2 Type IIISO 27001ISO 27018ISO 27701PCI-DSS 4.0HIPAAFedRAMP ModerateC5NIST 800-53 / 800-171

Routes attackmap.org traffic and stores generated reports. Sees request metadata (IP, headers, URL path) and report file contents.

Verify: Trust Hub — compliance resources · DPA · Privacy · SOC 2 / ISO reports available under NDA via the Trust Hub.

Stripe Payment processing

PCI-DSS Level 1SOC 1 Type IISOC 2 Type IIISO 27001ISO 27018NIST CSF aligned

Processes the $29 payment. Sees your name, email, billing address, and card. AttackMap receives only your email and a session ID via webhook.

Verify: Security overview · DPA · Privacy · PCI-DSS AoC + SOC reports available on request to Stripe customers.

Railway Application hosting

SOC 2 Type IIHIPAA-eligible (BAA on request)GDPR DPA

Runs the scanner code in containerized US-west infrastructure on Google Cloud Platform. Sees the scan URL transiently in memory during request handling. Inherits GCP's SOC 2 / ISO 27001 / PCI-DSS / FedRAMP High posture for the underlying compute.

Verify: Security page · Privacy · DPA · GCP underlying compliance: Google Cloud Compliance Resource Center.

Microsoft 365 Outbound email

SOC 1 Type IISOC 2 Type IISOC 3ISO 27001ISO 27017ISO 27018ISO 27701HIPAA BAAFedRAMP HighDoD IL5PCI-DSS 4.0NIST 800-53 / CSFGDPR DPA

Delivers the report email via Microsoft Graph API from reports@attackmap.org. Sees your email address and report content. Mailbox lives in the M365 Commercial cloud, US data residency.

Verify: Service Trust Portal (downloadable SOC 1/2/3 reports, ISO certificates, FedRAMP packages, NIST mappings) · Compliance offerings index · Microsoft Products & Services DPA.

Anthropic Report polish (Claude API)

SOC 2 Type IIISO 27001ISO 42001HIPAA-eligible (BAA on request)GDPR DPAZero-retention API

Raw scan findings are sent to Claude to be rewritten as plain-English remediation guidance. Your email is not sent. Per Anthropic's commercial API terms, prompts and responses are not retained after the response is returned and are not used to train models.

Verify: Trust Center (SOC 2 Type II + ISO 27001 reports under NDA) · Commercial terms · Usage policy.

GitHub Source control

SOC 1 Type IISOC 2 Type IISOC 3ISO 27001ISO 27018FedRAMP Tailored / Moderate (GovCloud)NIST 800-171

Hosts the AttackMap source code in a private repository. Does not see customer data — only code, configuration, and commit history.

Verify: GitHub Security · Trust Center · Data Protection Agreement.

Access controls

One administrator (the operator) has access to production secrets and infrastructure consoles.
All admin accounts use SSO + hardware-key (FIDO2) MFA on the underlying identity provider.
No employee or contractor has standing access to customer reports stored in R2 (admin access is gated behind separate explicit auth).
Vendor credentials are stored exclusively in Railway environment variables, scoped to the attackmap-api service.
Database: none. AttackMap intentionally has no persistent customer database to compromise.

Deletion & data-subject requests

You can request immediate deletion of your report and email-delivery record at any time. Email support@attackmap.org from the address that received the report. We confirm within 2 business days.

Deletion covers: the R2 report file, our copy of the outbound email, and any cached scan data. It does not cover Stripe payment records (regulatory retention applies) or your bank/card statement — those are governed by Stripe and your card issuer respectively.

If you're in the EU/UK, you have GDPR/UK-GDPR rights to access, correct, port, and delete your data. Same address, same SLA.

Breach notification

If we become aware of a security incident affecting your data, we will notify affected customers by email within 72 hours of confirmation, in line with GDPR Article 33 and applicable US state breach-notification laws. Notice will include: what happened, what data was affected, what we're doing, and what you should do.

What we are not

Not SOC 2 certified. AttackMap is operated as a sole-proprietor service. We rely on our SOC 2-certified subprocessors but do not hold our own attestation.
Not HIPAA-covered. We are not a Business Associate. Do not submit URLs that, by virtue of being scanned, would constitute disclosure of PHI under HIPAA.
Not PCI-DSS-scoped beyond what Stripe covers. AttackMap's environment does not touch cardholder data — Stripe handles that end to end.
Not built for unauthorized testing. By submitting a URL you assert you have authorization to scan it. See Terms.

For organizations whose procurement requires SOC 2 / ISO 27001 / DPA from the vendor itself, AttackMap is not the right fit. For one-off spot-checks of a URL you own, the data footprint is minimal and the subprocessor stack is compliant.

Use-cases this page exists for

Pre-launch checklist. Engineer running one scan before flipping DNS to prod.
Compliance evidence. Auditor wants to see "external attack-surface scan run within X days of go-live" — AttackMap's emailed Markdown report fits the evidence shape, with timestamps + scope.
Vendor due diligence. You're vetting a vendor's public site for obvious leaks before signing.
Periodic monthly review. Run once a month, save the report. Manual but cheap.

If you have a specific compliance framework you need to map AttackMap's output against (SOC 2 CC6, ISO 27001 A.13, PCI-DSS 11.3, NIST 800-53), email us and we'll add the mapping to your report at no extra charge.

Contact for security & compliance

Security questions / vulnerability disclosure: support@attackmap.org
Data deletion requests: support@attackmap.org
DPA / vendor questionnaires: support@attackmap.org (we'll respond, though we don't sign bespoke DPAs for $29 single-scan customers — our standard privacy policy and terms govern the relationship)