achilleus
Log inSign up

Security Policy

Last Updated: October 1, 2025

Effective Date: October 1, 2025

1. What Achilleus Does

Achilleus is a security monitoring service for freelancers and agencies managing client websites. We monitor your domains for common security issues and alert you when problems are detected.

1.1 What We Monitor

  • SSL/TLS Certificates: Expiration dates, validity, configuration strength
  • Security Headers: HSTS, CSP, X-Frame-Options, and other protective headers
  • DNS & Email Security: SPF, DKIM, and DMARC records to prevent email spoofing

1.2 What We Don't Do

Achilleus is a monitoring and alerting tool. We do not:

  • Provide incident response services
  • Fix security issues on your behalf
  • Perform penetration testing or active security testing
  • Monitor application code or database security
  • Provide 24/7 security operations center (SOC) services

When we detect an issue, we send you an alert with clear explanations and actionable recommendations. You remain responsible for fixing any security issues we identify.

2. How We Protect Your Data

2.1 Data We Collect

Account Information:

  • Email address and name
  • Password (hashed using bcrypt)
  • Payment information (processed securely by Stripe, never stored by us)

Scan Data:

  • Domain names you choose to monitor
  • Public security configuration results (SSL certificates, headers, DNS records)
  • Scan timestamps and historical results
  • Generated PDF reports

Important: We only collect publicly available information about your domains. We never access private data, databases, or application code.

2.2 Data Security

Encryption:

  • All data transmitted over HTTPS with TLS 1.3
  • Database encryption at rest via PostgreSQL
  • Secure session management with HTTPOnly and Secure cookies

Access Control:

  • Password requirements: minimum 8 characters with complexity rules
  • Account lockout after 5 failed login attempts
  • Optional Google OAuth authentication
  • User data isolation at the database level

Data Retention:

  • Scan results retained for 12 months
  • Account data kept until you delete your account
  • Complete data deletion within 90 days of account closure
  • You can export all your data in JSON format at any time

2.3 Your Rights

  • Access: View all data we have about you in your account dashboard
  • Export: Download your complete data in machine-readable JSON format
  • Delete: Permanently delete your account and all associated data
  • Correction: Update your account information at any time

3. How We Scan Your Domains

3.1 Safe Scanning Practices

  • Read-only: We only read public configuration, never modify anything
  • Non-intrusive: Standard HTTPS requests, no penetration testing or exploitation
  • Respectful: Rate limiting and timeout enforcement to avoid overwhelming your servers
  • Consent-based: You must add a domain before we scan it

3.2 Network Security

We protect against Server-Side Request Forgery (SSRF) attacks by blocking scans to:

  • Private IP addresses (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
  • Loopback addresses (127.x.x.x, localhost)
  • Cloud metadata endpoints (169.254.169.254)
  • Link-local addresses

This ensures Achilleus cannot be used to scan internal networks or sensitive infrastructure.

3.3 Data Privacy

  • Your scan data is never shared with third parties
  • Reports and results are only accessible to you
  • We don't sell or monetize your monitoring data
  • No tracking across other websites

4. Our Infrastructure

Achilleus is hosted on trusted, enterprise-grade infrastructure:

  • Hosting: Laravel Cloud (powered by AWS)
  • Database: Managed PostgreSQL 15 with encryption at rest
  • Payment Processing: Stripe (PCI DSS Level 1 certified)
  • Email Delivery: Resend (GDPR compliant)
  • Backups: Automated daily backups with 7-day retention

Our infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications. We benefit from their security controls including DDoS protection, network isolation, and automated security monitoring.

4.1 Compliance

  • GDPR compliant (EU data protection regulation)
  • CCPA principles followed for US users
  • Data processing agreements available upon request

5. Responsible Disclosure

Found a security vulnerability in Achilleus itself? We appreciate responsible disclosure.

5.1 How to Report

Contact:

  • Email: support@achilleus.so
  • Subject: "Security Vulnerability"
  • Response Time: Within 24-48 hours

Please Include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Your contact information

5.2 Our Commitment

  • No legal action against good-faith security researchers
  • Prompt investigation and response
  • Public acknowledgment (if desired) after the issue is resolved
  • Transparent disclosure timeline

5.3 Out of Scope

Please do not test:

  • Social engineering or phishing attacks
  • Denial of Service (DoS) attacks
  • Physical security
  • Third-party services (report to vendors directly)

6. Transparency

6.1 Security Incident History

October 2025 - Present:

  • No security incidents or data breaches
  • No unauthorized access to user data
  • No service compromises

If a security incident occurs, we will:

  • Notify affected users within 72 hours (GDPR requirement)
  • Publish a transparent incident report
  • Take immediate remediation actions
  • Update this page with details after resolution

6.2 Service Status

Monitor Achilleus uptime and performance at: achilleus.so/status

7. Contact Us

Security Questions or Issues:

  • Email: support@achilleus.so
  • For Vulnerabilities: Subject line "Security Vulnerability"
  • Response Time: Within 24-48 hours

Service Status:

General Support:

This security policy was last updated on October 1, 2025. Material changes will be communicated via email to active users.