Scroll to top
Client Portal

Compliance & Security

Security controls, data protection, and responsible scanning practices for teams that need confidence before they connect assets

Built for security-conscious buyers

PortWarden is designed around authorized scanning, limited data retention, and controlled access.

PortWarden helps customers monitor internet-facing exposure and run on-demand testing against assets they own or are explicitly authorized to test. Because our work touches sensitive security findings, our platform is operated with a security-first architecture, strict access controls, encrypted data handling, and a documented operating model.

This page summarizes our current security and compliance posture for customers, managed service providers, and procurement teams. Formal security documentation and independent assessment materials are available under NDA for qualified customers.

Request Security Documentation Privacy Policy

Compliance posture at a glance

  • US-only infrastructure
  • Private network architecture with restricted administrative access
  • Customer scan data encrypted at rest and in transit
  • Customer scan artifacts retained for 30 days
  • Mandatory MFA and role-based least-privilege access
  • Opt-in scanning with mandatory client KYC
  • Independent security engineering oversight and documentation
Framework alignment

Security controls aligned with common compliance expectations

PortWarden does not publicly claim SOC 2 attestation, ISO 27001 certification, PCI DSS certification, or HIPAA compliance unless and until those formal assessments are completed. We do operate controls that align with common framework expectations and can support customer security reviews.

SOC 2 aligned

Our controls are designed around security, confidentiality, access control, monitoring, and change visibility principles commonly reviewed in SOC 2 programs.

ISO 27001 aligned

Our operating model maps to practical ISO 27001 control areas such as access management, asset protection, supplier risk, incident handling, and information security governance.

NIST CSF aligned

PortWarden follows the spirit of identify, protect, detect, respond, and recover by combining restricted infrastructure, logging, monitoring, incident response, and customer communication.

CIS Controls aligned

Our practices emphasize least privilege, controlled access, encrypted data handling, secure configuration, vulnerability visibility, audit logging, and accountable operations.

Platform security controls

Designed to reduce exposure, limit access, and protect customer scan data

Our compliance posture starts with architecture. PortWarden is cloud-based, privately networked, access-restricted, and built around limited retention of security-sensitive artifacts.

Cloud infrastructure icon

US-only cloud infrastructure

PortWarden infrastructure is hosted in the United States and operated with controls designed to support strong physical security, network segmentation, and resilient hosting practices.

Encryption icon

Encrypted customer data

Customer scan data is encrypted in transit and at rest. Scan artifacts are stored in encrypted object storage and retained for 30 days unless a shorter retention period is required by agreement.

Private network architecture

Core infrastructure is segmented from public access where appropriate. Administrative access is restricted to authorized personnel through controlled private access paths, reducing unnecessary exposure of internal services.

Access control icon

Least-privilege access

Internal access is role-based and limited to the minimum access needed. MFA is required for administrative access, and access decisions are tied to operational need.

Audit logging icon

Permanent access and audit logs

Access logs and audit logs are retained permanently to support accountability, security review, incident investigation, and customer assurance when a qualified review requires evidence.

Independent security oversight

PortWarden maintains penetration testing and security documentation from a private security engineering firm that manages and reviews our security posture.

Responsible scanning model

Authorization is not optional. Customers must verify who they are and what they control.

PortWarden is not an anonymous scanning platform. Customers are required to complete KYC before scanning is enabled, and scanning is opt-in only. Customers must own the targets they add or have explicit authorization to test them.

This model protects customers, reduces abuse risk, and supports procurement teams that need to know the platform is designed for legitimate security operations rather than unsupervised internet scanning.

Authorization controls

  • Mandatory client KYC before scanning access
  • Opt-in scanning for authorized assets only
  • Ownership and authorization expectations built into onboarding
  • Customer-controlled asset scope
  • No anonymous public scanning workflow
  • Security documentation available to qualified customers under NDA
Data handling

We collect only what we need to provide exposure monitoring and scan reporting.

PortWarden stores customer scan data and related operational records needed to provide monitoring, reporting, retesting, auditability, and customer support. We do not use customer scan data to build unrelated products, and scanning remains customer-authorized and scope-bound.

Customer scan artifacts are retained for 30 days in encrypted storage. Access is role-based and limited to personnel with a legitimate operational need.

Data protection summary

  • Customer scan data encrypted at rest and in transit
  • 30-day retention for customer scan artifacts
  • Role-based internal access
  • Minimum necessary access model
  • US-only infrastructure footprint
  • Permanent access and audit log retention
  • No external subprocessors for core platform operations beyond infrastructure hosting
Incident response

Clear notification standards for confirmed material security incidents

PortWarden follows an industry-standard incident response approach focused on rapid triage, containment, remediation, evidence preservation, and customer notification when a confirmed material incident affects customer data or service security.

1. Triage within 24 hours

Potential incidents are reviewed, classified, and escalated based on impact, data sensitivity, and risk to customers or platform operations.

2. Containment and remediation

Confirmed issues are contained, investigated, remediated, and documented. Evidence is preserved through access logs, audit logs, and operational records.

3. Customer notification

For confirmed material incidents affecting customer data or service security, PortWarden aims to notify affected customers within 72 hours and provide updates until closure.

Documentation available on request

Need security evidence for vendor review or procurement?

Qualified customers can request security documentation, independent security assessment materials, architecture summaries, data handling details, and control explanations under NDA. We keep public claims conservative so customers can trust that our compliance language is accurate.

Contact Us Data Retention