How we protect your data and operate our infrastructure.
Infrastructure
Aegisnode runs on Microsoft Azure. Our sensor network is distributed across 4 locations.
Application hosted in South Central US with disaster recovery in North Central US
All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Infrastructure managed as code
Automated patching and container hardening
Zero Trust architecture — no implicit trust for any user, device, or network segment
Data handling
What we collect
Scan results (target metadata, open ports, services, certificates, DNS records, vulnerability matches)
Account data (email, organization name, billing information)
Usage analytics (page views, feature usage)
What we don't collect
Content of services behind open ports
Credentials or authentication data
Data from any system we are not explicitly directed to scan
Scan results retained per subscription tier. Free tier data purged after 30 days. All data deleted within 30 days of account closure upon request.
Access controls
All employee access requires multi-factor authentication
Production systems follow least-privilege access
Access logs maintained and reviewed
No customer data accessed without documented justification
Immutable audit logging for all data access
Scanning methodology
Our scans are designed to be non-disruptive:
Rate-limited to avoid impacting target infrastructure
No exploitation or payload delivery
No credential brute-forcing
Consistent with responsible scanning practices (similar to Shodan, Censys, and other internet-wide scanning projects)
Sensor IPs are documented and can be whitelisted or blocked at your discretion
Compliance
Current
SOC 2 Type II — Expected Q4 2026
GDPR-compliant data handling for EU users
CCPA-compliant for California residents
Data processing agreements available upon request
Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities in Aegisnode's own infrastructure or application. Report security vulnerabilities to security@aegisnode.io.
We do not pursue legal action against researchers acting in good faith.
Incident response
In the event of a security incident affecting customer data:
Affected customers notified within 72 hours
Public disclosure on this page and via email
Root cause analysis published after remediation
No incidents to date. This section will be updated if that changes.
Founder
Aegisnode was built by a security practitioner. Security is not a feature we bolted on — it is how the product was designed from day one. If you have questions about our security practices that aren't answered here, email me directly.