Security

We use industry-standard measures to protect your data and our systems:

• • Data in transit: TLS (HTTPS) for all connections.
• • Data at rest: encryption where provided by our infrastructure (e.g. database, hosting).
• • Access control: least-privilege access to production systems; secrets in environment variables, not in code.
• • Security headers: CSP, HSTS, X-Frame-Options, and related headers on the site.

For monitored emails (paid plans), we run scheduled checks against Have I Been Pwned (HIBP) breach data. When new breaches are found for an email, we send an alert email to the address you configured. We do not read your inbox; we only query HIBP by email address and compare results with the previous run.

You can turn off alerts per email or globally via the unsubscribe link in each email or via your account settings.

We store the minimum needed to provide breach checks and monitoring: account email (and optional name), monitored email addresses, timestamps (e.g. last check), alert preferences, and breach snapshot metadata (breach names, counts). We never store passwords. We do not read or access your inbox. For more detail, see our Privacy Policy.

If you believe you have found a security vulnerability in our service, please report it to us responsibly. Contact us at info@securityscore.me with a clear description and steps to reproduce. We will acknowledge receipt and work with you to understand and address the issue. We do not run a formal bug bounty program; we still appreciate responsible disclosure.