We're a security company. We hold ourselves to the standard we ask of our customers.
vul.ninja takes a least-privilege approach to cloud access. We request the minimum permissions needed to scan your environment, and we never store long-lived credentials.
We deploy a read-only IAM role via CloudFormation. vul.ninja assumes this role via STS and receives short-lived session tokens — no long-term AWS access keys are ever created or stored. You can revoke access at any time by deleting the CloudFormation stack.
We connect via Microsoft Entra OAuth with Reader RBAC. OAuth tokens are short-lived and refreshed via the OAuth refresh token flow. You can revoke access at myaccount.microsoft.com/Permissions.
We connect via Google OAuth 2.0 with PKCE. No JSON service account key files are ever downloaded or stored. You can revoke access at myaccount.google.com/permissions.
Every API call vul.ninja makes against your cloud is logged in a full audit trail, downloadable from your dashboard. You can see exactly what we accessed, when, and why.
Your data is stored in AWS US-East-1. EU data residency is on our roadmap — contact us if this is a requirement.
Findings and scan history are retained for 12 months on paid plans. You can export all data at any time from your dashboard.
You can delete your account and all associated data at any time from your dashboard settings. Deletion is permanent and completed within 30 days.
Agent calls are isolated to your account. Your findings and cloud configurations are never shared with or visible to other customers.
We do not use your security findings, cloud configuration data, or any tenant-specific data to train or fine-tune AI models.
AI agents can propose fixes, but every write action requires your explicit approval before anything touches your cloud infrastructure.
Every agent action — what it analyzed, what it proposed, what you approved or rejected — is logged and available in your dashboard.
The specifics on how we handle your data when AI is involved — what we redact, which models we use, and how you can verify it all yourself.
Every sanitized payload is re-scanned for leaks before it leaves our infrastructure.
We'd rather be audited than take your word for it. Customers and prospects can request any of the following:
Read the sanitization, audit-logging, and AI client code directly.
Full CSV/JSON export of every AI call, with token counts and timestamps.
Live walkthrough with our team covering any AI-safety control you care about.
The following vendors may process customer data as part of delivering the vul.ninja service.
| Vendor | Purpose | Data access |
|---|---|---|
| AWS | Cloud hosting and infrastructure | All customer data (encrypted) |
| Microsoft Azure / Entra | Authentication and identity | User account identifiers, auth tokens |
| Stripe | Payment processing | Billing information only |
| Anthropic | AI model inference (for agent features) | Finding descriptions, cloud configuration metadata |
This list is updated as our subprocessors change. Last updated: April 2026.
security@vul.ninja
For vulnerability reports, security questions, DPA requests, or data deletion requests.
We acknowledge all security reports within 48 hours.
Send a security report