Trust & Security
Security at Pentevo
We hold ourselves to the same standards we help clients achieve. Here is how we protect your data, your scan results, and your account.
Encryption
All data transmitted between your browser, the Pentevo API, and our scan engine is encrypted using TLS 1.2 or higher. We enforce HTTPS-only access and apply HSTS headers with a one-year max-age to prevent downgrade attacks.
Data at rest — including scan results, findings, reports, and account information — is encrypted using AES-256. Encryption keys are managed via a dedicated key management service with automatic rotation on a 90-day cycle.
Database backups are encrypted before storage and stored in geographically separate regions from primary data.
Scan Isolation
Every scan session runs in an isolated execution environment. Scan agents are ephemeral — provisioned at scan start and destroyed at completion. No scan agent persists between sessions, and no data from one scan is accessible to another tenant's session.
Outbound scan traffic is network-isolated from internal Pentevo infrastructure. Scan agents cannot reach internal services, databases, or other customer environments — only the target you define.
Scan results are stored in tenant-partitioned storage. There is no shared state between accounts.
Access Control
Access to Pentevo production systems is restricted to authorized engineering and operations staff. All access requires:
- Hardware-bound multi-factor authentication (FIDO2/WebAuthn)
- Just-in-time access provisioning with automatic expiry
- Full audit logging of all administrative actions
- Access reviews conducted quarterly
Engineers do not have standing access to customer data. Production database access requires an approved access request with a defined time window and purpose.
Data Retention & Deletion
Scan data is retained for 12 months by default. You can configure shorter retention periods in your account settings or delete individual scans at any time.
When you delete a scan or close your account, data is removed from primary storage immediately and purged from backups within 30 days. We do not archive deleted customer data beyond this window.
Compliance & Certifications
Pentevo is designed and operated with the following compliance frameworks as guiding principles:
SOC 2 and ISO 27001 audits are currently underway. Reports will be available to enterprise customers under NDA upon completion.
Penetration Testing
We practice what we preach. Pentevo undergoes regular third-party penetration testing by independent security firms. Our own platform is a continuous target of internal red team exercises.
Enterprise customers may request our most recent penetration test summary report by contacting security@pentevo.com.
Responsible Disclosure
If you discover a security vulnerability in Pentevo, we want to hear from you. We maintain a responsible disclosure program and commit to:
- Acknowledging your report within 24 hours
- Providing a resolution timeline within 5 business days
- Not pursuing legal action against good-faith researchers
- Crediting you in our security advisories (if desired)
Report vulnerabilities to security@pentevo.com. See our full Responsible Disclosure Policy.