Security at VeilScan

Security is not a feature we add on top of VeilScan — it is the reason VeilScan exists. We hold ourselves to the same standard we help our customers achieve.

What about infrastructure?

Cloud and region

All infrastructure runs on AWS eu-west-2 (London). Customer data does not leave the United Kingdom. We use AWS Fargate for compute (no persistent EC2 attack surface), RDS PostgreSQL for the database, and S3 for report storage — all within the same region.

Network isolation

Scan containers run ephemerally — one container per scan, destroyed immediately after completion. Each container has strict CIDR egress rules: it can only reach the customer's authorised target scope. There is no path from a scan container to other customers' infrastructure or to the VeilScan control plane.

Encryption

• In transit: TLS 1.2+ enforced on all endpoints. HSTS headers set.
• At rest: RDS storage encrypted with AES-256. S3 reports encrypted with SSE-S3 (AES-256). Sensitive database fields (API keys, tokens) encrypted at the application layer with Fernet symmetric encryption before storage.
• Secrets: All API keys, database credentials, and tokens are stored in AWS Secrets Manager — never in environment variables or code.

What about authentication and Access Control?

VeilScan uses email-verified sessions for customer authentication. No passwords are stored — session tokens are generated on login and stored as HttpOnly, Secure, SameSite=Lax cookies. Sessions expire automatically.

Access to production infrastructure is restricted to named engineers via MFA-protected AWS IAM roles. We follow the principle of least privilege throughout.

What about scan Safety?

We take precautions to ensure our scanning does not harm customer systems:

• Scans are external and non-destructive — we validate exposed internet-facing behaviour without authenticated or internal testing
• Rate limiting is applied to all probe operations to avoid triggering DDoS protections
• Scope validation runs before every scan — requests outside the signed Rules of Engagement are hard-rejected
• A 4-hour kill timeout is enforced on every scan container
• Every scan action is logged to CloudWatch with a tamper-evident audit trail

Customer use is also governed by our Acceptable Use Policy, including strict limits on unauthorised scanning.

What about vulnerability Management?

We maintain a vulnerability disclosure programme. If you discover a security issue in VeilScan:

• Email support@veilscan.net with details
• Include steps to reproduce, impact assessment, and any proof of concept
• Give us a reasonable time to remediate before public disclosure (we ask for 90 days)
• We will acknowledge receipt within 24 hours and keep you updated on our progress

We do not pursue legal action against researchers acting in good faith under these guidelines.

What about data Handling?

Customer scan data is confidential. We do not share findings with third parties. Scan containers have no access to other customers' data. Our full data handling practices are described in our Privacy Policy.

What about compliance?

VeilScan is built with compliance mapping for ISO 27001, GDPR, SOC 2, PCI DSS, and Cyber Essentials. We are working toward Cyber Essentials certification for our own infrastructure. Our data processing is conducted under UK GDPR with the ICO as our supervisory authority.

What about incident Response?

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of becoming aware of the breach, in line with UK GDPR requirements. Notifications will be sent to registered account email addresses.

What about contact?

Security issues: support@veilscan.net
General enquiries: hello@veilscan.net
CodeCrypse IT Solutions LTD, England & Wales