Trust Center
Trust & Compliance
Security and compliance documentation for enterprise procurement teams, security officers, and customers who need to understand how Pentevo handles their data.
Compliance Posture
SOC 2 Type II
In AuditISO 27001
In AuditGDPR
CompliantCCPA
CompliantSOC 2 and ISO 27001 audit reports will be available to enterprise customers under NDA upon completion. Contact security@pentevo.com to request documentation.
Data Handling Practices
Encryption at rest and in transit
AES-256 at rest. TLS 1.2+ in transit. Encryption keys rotated every 90 days via dedicated key management service.
Tenant data isolation
Each customer's scan data, findings, and reports are stored in isolated, partitioned storage. No shared state between tenants.
Data residency
Primary data resides in AWS us-east-1. EU customers may request EU-resident storage at no additional cost.
Data retention
Scan data retained 12 months by default. Configurable down to 30 days. Account deletion triggers full purge within 30 days.
No AI training on customer data
Your scan results and findings are never used to train AI models without explicit written consent.
Penetration Testing Authorization Process
Pentevo is a security testing tool. Every scan must be authorized. Our authorization process:
- 1Customer provides target URL and asserts ownership or written authorization from target owner.
- 2Scope boundaries are defined — included domains, excluded paths, rate limits.
- 3Customer accepts Terms of Service, which explicitly require authorization for all targets.
- 4Pentevo records the authorization declaration with timestamp and account identity.
- 5Scan engine enforces defined scope and will not issue requests to out-of-scope hosts.
Subprocessors
Pentevo uses the following third-party subprocessors to deliver the service. All subprocessors are bound by data processing agreements and comply with applicable privacy regulations.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, compute, and storage | USA / EU |
| Stripe | Payment processing and billing | USA |
| Anthropic | AI language model inference (scan agent reasoning) | USA |
| Supabase | Database and authentication | USA / EU |
| Postmark | Transactional email delivery | USA |
| Sentry | Error monitoring and diagnostics | USA |
Subprocessor list last updated April 2026. Enterprise customers receive 30 days notice before any new subprocessor is added.