PenReport AI
Sign inStart Free Trial

Security

Your Data Is Yours

Penetration test reports contain the most sensitive data a company produces. We built PenReport AI with security-first principles so you can confidently use it on any engagement — including regulated industries.

Workspace Isolation

Every workspace is isolated at the database level using PostgreSQL Row-Level Security (RLS). Your findings, engagements, and reports are scoped exclusively to your workspace.

No other workspace or user can query your data — including PenReport AI staff without direct database access.
RLS policies are enforced at the database layer, not just the application layer — even a compromised API cannot bypass them.
Each API request uses a workspace-scoped JWT that Supabase verifies before any query executes.

AI Data Handling

When you expand a finding with AI, the finding data is sent to the Anthropic Claude API for processing. Here is exactly what happens:

Anthropic does not retain your data. API inputs and outputs are processed and discarded — zero-retention policy.
Anthropic does not train on your data. API usage is explicitly excluded from model training per Anthropic's usage policy.
The in-app audit log (workspace settings → AI Usage) records every AI call: model used, token counts, and timestamp — giving you a full paper trail.
Read Anthropic's Usage Policy

Encryption

At rest: All data is encrypted with AES-256 via Supabase/PostgreSQL.
In transit: All connections use TLS 1.3. No unencrypted HTTP endpoints.
Evidence files (screenshots, HTTP pairs) are stored in Supabase Storage with server-side encryption and served via short-lived signed URLs that expire in minutes. Generated PDF and DOCX reports are delivered via Cloudflare R2 and auto-deleted after 24 hours.

Sub-processors

We use the following third-party processors. Each has a published DPA you can review for procurement purposes.

AnthropicAI processing (Claude API)
United States
DPA
SupabaseDatabase, authentication, file storage
AWS us-east-1
DPA
Cloudflare R2Report export delivery (PDF/DOCX)
Global CDN
DPA

Data Portability

You are never locked in. All data can be exported at any time.

Export all engagements, findings, and evidence metadata as a structured JSON file from workspace settings → Data & Privacy.
Export individual reports as PDF or DOCX at any time.
If we ever shut down, we commit to a minimum 90-day wind-down period with full export access before any data deletion.

Responsible Disclosure

Security professionals will probe PenReport AI — and we welcome it. If you discover a vulnerability, please report it responsibly.

Email security@penreport.ai with details. We acknowledge within 24 hours and aim to remediate within 14 days.
We follow coordinated disclosure: we will work with you on a disclosure timeline before any public announcement.
No legal action will be taken against researchers acting in good faith within the scope of responsible disclosure.
View security.txt

DPA & Compliance Requests

For enterprise clients requiring a signed Data Processing Agreement, GDPR Article 28 compliance documentation, or a sub-processor list for procurement:

Contact

security@penreport.ai

We respond within 2 business days.

You can also review and download our DPA inline from workspace settings.

Last updated: March 2026 · Questions? security@penreport.ai