Security is the product.
You point Audaitly at your clients' sites. That trust is the whole business, so we treat your data, and theirs, with the care a security company would.
Every agency's data is walled off at the database.
Audaitly is multi-tenant, and we enforce that boundary where it actually counts, in the database, not just in application code.
- Row-Level Security (RLS) policies scope every read and write to the organization that owns the row.
- The application connects as an unprivileged role that cannot bypassthose policies, so a query bug can’t leak another agency’s data.
- With no tenant context, queries fail closed, returning nothing rather than everything.
The controls behind every audit.
Encryption in transit
Encryption at rest
No training on your data
Scoped crawling
Role-based access
Backups & recovery
Prompt-injection defenses
Network hardening
Independent security reviews
From authorized URL to finished report.
Five steps, each with a control attached. No step happens without the one before it.
- 01You authorize a URL
An audit starts with an explicit instruction from your team. We never crawl a site you haven't pointed us at.
- 02Scoped crawl in an isolated browser
A sandboxed browser visits only the authorized pages, with SSRF navigation guards blocking any hop toward internal or private infrastructure.
- 03Analysis by our AI engine
Page content is analyzed by our AI engine. Your content is never used to train AI models, and prompt-injection defenses keep page text from steering the audit.
- 04Findings stored tenant-isolated
Results land in a database where Row-Level Security scopes every row to your organization, enforced by a role that cannot bypass those policies.
- 05You control export and deletion
Your findings and reports are yours. Export them when you need them, and request deletion when you're done. Our DPA sets out the deletion terms.
The legal side of this pipeline, including sub-processors and deletion commitments, lives in our Data Processing Agreement and Privacy Policy.
Boring on purpose, where it matters.
The operational controls are deliberately unexciting: small roles, short-lived access, and the server as the only judge of what's allowed.
Least-privilege roles
Database-backed sessions
Server-side authorization
Secrets stay server-side
If something breaks, your data doesn't.
Nightly encrypted backups
~14-day rolling retention
Pre-deploy snapshots
Vulnerability Disclosure Policy
We want to hear from security researchers, and we want the rules of engagement to be clear.
Scope
The Audaitly web application, API, and marketing site. Third-party services we rely on (hosting, email, payments) are governed by their own disclosure programs.
What we ask
- Don’t access, exfiltrate, or modify data that isn’t yours; use test accounts and stop at the minimum needed to demonstrate the issue.
- Don’t disrupt the service for other users (no denial-of-service, spam, or social engineering of our team or customers).
- Give us a reasonable window to fix the issue before any public disclosure.
Our commitment
We will acknowledge your report within 72 hours, keep you informed as we investigate, and credit you if you’d like. Good-faith security research conducted in line with this policy is welcome here: we will not pursue or support legal action against researchers who follow it.
Report vulnerabilities to security@audaitly.ai. Please include steps to reproduce and, if possible, the affected URL or endpoint.
What we're building next.
We're an early, invite-only product and we'd rather be honest about what's shipped versus what's coming.
Found something? Tell us.
We welcome responsible disclosure. If you believe you’ve found a vulnerability, email us and we’ll acknowledge within 72 hours and work with you to get it fixed.
security@audaitly.ai