Trust & Safety

Security at VeilScan

Last updated: 18 April 2026

Security is not a feature we add on top of VeilScan — it is the reason VeilScan exists. We hold ourselves to the same standard we help our customers achieve.

Infrastructure

Cloud and region

All infrastructure runs on AWS eu-west-2 (London). Customer data does not leave the United Kingdom. We use AWS Fargate for compute (no persistent EC2 attack surface), RDS PostgreSQL for the database, and S3 for report storage — all within the same region.

Network isolation

Scan containers run ephemerally — one container per scan, destroyed immediately after completion. Each container has strict CIDR egress rules: it can only reach the customer's authorised target scope. There is no path from a scan container to other customers' infrastructure or to the VeilScan control plane.

Encryption

  • In transit: TLS 1.2+ enforced on all endpoints. HSTS headers set.
  • At rest: RDS storage encrypted with AES-256. S3 reports encrypted with SSE-S3 (AES-256). Sensitive database fields (API keys, tokens) encrypted at the application layer with Fernet symmetric encryption before storage.
  • Secrets: All API keys, database credentials, and tokens are stored in AWS Secrets Manager — never in environment variables or code.

Authentication and Access Control

VeilScan uses email-verified sessions for customer authentication. No passwords are stored — session tokens are generated on login and stored as HttpOnly, Secure, SameSite=Lax cookies. Sessions expire automatically.

Access to production infrastructure is restricted to named engineers via MFA-protected AWS IAM roles. We follow the principle of least privilege throughout.

Scan Safety

We take precautions to ensure our scanning does not harm customer systems:

  • Scans are read-only and non-destructive — we observe and enumerate, not exploit
  • Rate limiting is applied to all probe operations to avoid triggering DDoS protections
  • Scope validation runs before every scan — requests outside the signed Rules of Engagement are hard-rejected
  • A 4-hour kill timeout is enforced on every scan container
  • Every scan action is logged to CloudWatch with a tamper-evident audit trail

Vulnerability Management

We maintain a vulnerability disclosure programme. If you discover a security issue in VeilScan:

  • Email support@veilscan.net with details
  • Include steps to reproduce, impact assessment, and any proof of concept
  • Give us a reasonable time to remediate before public disclosure (we ask for 90 days)
  • We will acknowledge receipt within 24 hours and keep you updated on our progress

We do not pursue legal action against researchers acting in good faith under these guidelines.

Data Handling

Customer scan data is confidential. We do not share findings with third parties. Scan containers have no access to other customers' data. Our full data handling practices are described in our Privacy Policy.

Compliance

VeilScan is built with compliance mapping for ISO 27001, GDPR, SOC 2, PCI DSS, and Cyber Essentials. We are working toward Cyber Essentials certification for our own infrastructure. Our data processing is conducted under UK GDPR with the ICO as our supervisory authority.

Incident Response

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of becoming aware of the breach, in line with UK GDPR requirements. Notifications will be sent to registered account email addresses.

Contact

Security issues: support@veilscan.net
General enquiries: hello@veilscan.net
CodeCrypse IT Solutions LTD, England & Wales