Security & Trust

ShadowTrackr is a cybersecurity product. Our customers trust us with visibility into their most sensitive infrastructure. We hold ourselves to the same standard we help them achieve.

This page explains how we protect your data and our platform. If you have questions not answered here, contact us at .

Infrastructure & Data Hosting

All customer data is stored in Germany.

Our core infrastructure runs on servers operated by Hetzner Online GmbH, a fully German-owned company headquartered in Gunzenhausen, Germany. Hetzner operates data centres under German law and EU regulation.

Data centre location: Nuremberg, Germany
Jurisdiction: Germany / EU
Sovereignty: no US-owned cloud providers in the data path for stored data
Green energy: Hetzner operates on 100% renewable energy

Scanner nodes are placed globally to perform external-perspective scanning — the same view an attacker has. These nodes:

Do not store any customer data
Transmit results encrypted (TLS) to our German infrastructure immediately after each scan
Use full-disk encryption for the OS volume even though no customer data persists on them
Are maintained exclusively over secured SSH connections using long cryptographic keys — password-based authentication is disabled
Are architecturally isolated from core infrastructure — a compromised scanner node cannot affect the platform or other customers
Are fully automated and can be replaced or relocated at short notice

Encryption

Context	Standard
Data in transit (web, API)	TLS 1.2 minimum, TLS 1.3 preferred
Data in transit (scanner nodes → core)	TLS with certificate pinning
Data at rest (core infrastructure)	AES-256
Scanner node storage	AES-256 full-disk encryption
Backups	Encrypted with AES-256, stored in Germany

We score ourselves on the same SSL Labs / TLS grading criteria we use to grade your certificates. We aim for an A+ on all endpoints.

Authentication & Access Control

Customer authentication

Email and password with bcrypt hashing
Multi-factor authentication (MFA) via time-based one-time passwords (TOTP) — compatible with Google Authenticator, Microsoft Authenticator and similar apps. We strongly encourage all users to enable MFA.
API key authentication for programmatic access
Session management with server-side invalidation on logout and account deletion

Internal access controls

ShadowTrackr staff may access customer data for support and development purposes. Because ShadowTrackr works exclusively with data found on or derived from the external attack surface, this data does not typically contain privacy-sensitive information. Access to customer account details and financial data is restricted to authorised internal staff on a need-to-know basis.

Access to production systems is restricted to a minimal set of personnel
All administrative access is logged
No autonomous AI agents or third-party AI services have access to your data

No AI in Your Data

ShadowTrackr does not use AI agents, large language models or automated profiling on your data. Your asset data is not used to train machine learning models, fed to third-party AI APIs or processed for any purpose other than delivering the ShadowTrackr service to you.

No Tracking

We use only functional cookies — strictly necessary to manage your login session. We do not use Google Analytics, Meta Pixel, advertising networks or any third-party tracking technology. You can verify this with any browser developer tools or network inspector.

Vulnerability Management

We practice what we preach:

Our own domains and infrastructure are monitored with ShadowTrackr
We run continuous vulnerability scans against our own assets
Critical and high findings are treated as production incidents
Dependencies are monitored for known CVEs and updated promptly

Responsible Disclosure

We welcome reports from security researchers. If you find a vulnerability in any ShadowTrackr system, please email with:

A description of the vulnerability
Steps to reproduce
Your assessment of impact

Scope:

shadowtrackr.com and all subdomains
ShadowTrackr API endpoints

Out of scope: social engineering, physical attacks, denial-of-service testing.

Safe harbour: researchers who follow responsible disclosure and do not access, modify or exfiltrate user data will not face legal action. We will acknowledge your report within 3 business days and keep you updated on our remediation progress.

We do not currently operate a paid bug bounty programme, but we will thank you publicly (if you want) and may offer account credit for significant findings.

Compliance

GDPR compliant (EU Regulation 2016/679)
Baseline Informatiebeveiliging Overheid 2 (BIO2) — Dutch government security baseline, an implementation of ISO/IEC 27001 and ISO/IEC 27002
Functional cookie-only policy (compliant with ePrivacy Directive / EU Cookie Law)
EU data residency by design

Enterprise and government customers can request our current compliance documentation by emailing .

Data Processing Agreements

We offer Data Processing Agreements (DPAs) under Art. 28 GDPR for customers who need them for their own compliance obligations. Contact to request a DPA.

Incident Response

In the event of a security incident affecting customer data, we will:

Notify affected customers within 72 hours of becoming aware (in line with GDPR Art. 33)
Provide details of what data was affected, how, and what we are doing about it
Report to the relevant supervisory authority as required

Questions

for security questions.
for data protection and GDPR questions.
for everything else.