Current controls, bounded claims

Security information you can evaluate.

This page describes controls visible in the current AdverseMonitor application and states where public assurance evidence is not available. It is not a certification report.

Current assurance status: AdverseMonitor does not publish a SOC 2 report, ISO 27001 certificate, penetration-test attestation, or uptime SLA on this site. We therefore do not claim those assurances here.
01

Account authentication

Account passwords are hashed before storage. The application also implements passkey registration and authentication routes. Session and authorization checks protect signed-in pages and server actions.

02

API credentials

API requests require bearer authentication. Stored API-key records use a key prefix for identification and a hash for verification. Keys can expire, be revoked, and are subject to plan and endpoint checks.

03

Access boundaries

Application queries associate customer resources such as profiles, keys, and usage with the authenticated user. Database migrations include row-level security policies as an additional access boundary.

04

Rate limiting and logging

Authentication, general application requests, and public API use have implemented rate-limit checks. API usage and application activity are recorded for operational review.

05

Notification control

Email recipients and collaboration webhooks are customer-configured fields. A monitoring profile can be used dashboard-only with every outbound notification channel left blank.

06

Monitoring scope

The product matches customer-supplied terms against collected threat records. It does not require an agent inside the customer network for the monitoring workflow described on this site.

What this page supports

  • HTTPS is used for the public website and platform endpoints.
  • Password hashing and passkey flows exist in the application.
  • Bearer API authentication, key hashing, expiration and revocation controls exist.
  • Plan-based API authorization and rate limits are implemented.
  • User-scoped application queries and database RLS policies exist.
  • Activity and API-usage logging exist.

What this page does not claim

  • SOC 2 Type I or Type II compliance
  • ISO 27001 certification
  • A completed independent security audit
  • A recurring penetration-test schedule
  • SAML or enterprise SSO availability
  • A contractual 99.9% uptime or response-time SLA
  • Encryption-at-rest specifications not documented here
Responsible disclosure

Report a suspected security issue

If you believe you found a vulnerability, send a concise report to security@adversemonitor.com with the affected URL, reproduction steps, potential impact, and any supporting evidence. Do not access other users’ data, disrupt service, or use social engineering.

This address is for inbound reports. Visiting this page or using the product does not trigger an email.