Security & privacy

A short, honest description of what Pwnkemon stores, what it does with the data, and how we operate the platform.

What we store

• Account data: email and authentication identifiers from your sign-in provider (Clerk).
• Verified targets: the domains/IPs you've verified, plus the challenge tokens used to verify them.
• Scan records: requests, status, findings, the agent's tool calls and decisions, and final reports.
• Usage metadata: token counts and cost per scan, used for billing and quota enforcement.

We do not store the full raw content of every HTTP response your scans pull — large bodies are summarised by the agent and only relevant excerpts are retained as evidence in findings.

How we use scan data

Scan inputs and outputs are used to execute the scan, render the report, and bill your account. We do not train models on your scan data. We do not share scan contents with anyone outside the team operating Pwnkemon, except as required to deliver the service (e.g. our LLM provider receives prompts during inference, see below).

Third-party processors

• Anthropic — LLM inference for the scanning agent. Scan inputs are sent over TLS; Anthropic does not retain prompts for training.
• Clerk — authentication. Stores email and login session data.
• Stripe (coming soon) — payment processing. Card data never touches Pwnkemon servers.
• Railway — application hosting (Postgres, Redis, app servers).

Encryption

All traffic in and out of Pwnkemon is TLS 1.2+ only. TLS 1.0/1.1 disabled. Database connections are encrypted in transit. Storage encryption at rest is provided by our infrastructure platform.

Authentication & auth

Pwnkemon supports email, Google, and other OAuth providers via Clerk. API tokens are issued per-user, hashed at rest (we never store the raw value), and can be revoked individually.

Sessions are short-lived; tokens can carry custom expiries up to whatever you set.

Target verification = legal protection

Pwnkemon will only scan targets you've proven ownership of via DNS TXT or HTTP file challenge. This is enforced server-side. We don't offer a way to skip this — it's what keeps both you and us on the right side of computer-misuse legislation.

Even with verification, you are responsible for ensuring you have authorisation to test what you scan. Pwnkemon is not liable for misuse.

Vulnerability disclosure

Found a security issue in Pwnkemon itself? Please email [email protected] with details. We'll acknowledge within 48 hours and work with you on coordinated disclosure. We don't have a paid bug bounty programme yet — we're a small team — but we'll publicly credit researchers in our security advisories.

Please do not perform unauthorised testing against our infrastructure beyond what's necessary to demonstrate the issue. Out of scope: denial-of-service, social engineering against staff, physical attacks, third-party services (Clerk, Stripe, Railway).

Data retention & deletion

• Scan reports on Free plan auto-delete after 7 days.
• Scan reports on paid plans are retained until you delete them.
• Deleting an account removes all associated scans, targets, tokens, and account data within 30 days.

Backups may retain deleted data for up to 30 days for disaster recovery, after which it's permanently purged.

Compliance

Pwnkemon is currently pre-SOC 2. We follow the controls we expect to certify against (least-privilege access, encrypted backups, audit logging) but don't yet have an external attestation. SOC 2 Type I is on the roadmap for the first half of operating year one.

For Business and Enterprise customers requiring DPAs, GDPR contracts, or other compliance paperwork ahead of certification, contact us via the dashboard.

Contact

• Security issues: [email protected]
• Privacy / data requests: [email protected]
• General support: [email protected]