Security

Common questions about data security and privacy. --- Your code is protected with multiple layers: | Layer | Protection | |-------|------------| | Transit |...

Last updated: January 14, 2026

Security FAQ

Common questions about data security and privacy.

Data Protection

How is my code protected?

Your code is protected with multiple layers:

Layer Protection
Transit TLS 1.3 encryption
Storage AES-256 encryption at rest
Access Role-based access control
Audit Full audit logging
Network VPC isolation, firewalls

Who can access my code?

  • Your team: Members in your organization
  • BlockSecOps: Only for support purposes, with your permission
  • Third parties: Never

Is my code used for AI training?

No. Your code is:

  • Never used to train models
  • Never shared with third parties
  • Never included in datasets
  • Deleted according to retention policy

Data Storage

Where is my data stored?

Default regions:

  • US: AWS us-east-1, us-west-2
  • EU: AWS eu-west-1 (Enterprise option)

Enterprise plans can specify data residency requirements.

How long is data retained?

Data Type Default Retention
Scan results 1 year
Source code 30 days
Audit logs 2 years
Account data Until deletion

Can I change retention settings?

Enterprise plans can customize:

  • Shorter retention (delete immediately after scan)
  • Longer retention (extended history)
  • Custom per-project settings

Can I delete my data?

Yes, immediately:

  • Individual contracts: Delete from Contracts page
  • Individual scans: Delete from Scans page
  • All data: Account deletion in Settings

Deletion is permanent and cannot be undone.

Compliance

Is BlockSecOps SOC 2 compliant?

Yes. BlockSecOps is SOC 2 Type II certified. Request our SOC 2 report via [email protected].

Is BlockSecOps GDPR compliant?

Yes. We comply with GDPR including:

  • Data processing agreements
  • Right to access/delete
  • Data portability
  • Breach notification
  • Privacy by design

Do you offer a DPA?

Yes. Enterprise plans include a Data Processing Agreement. Contact sales for details.

What about HIPAA, PCI, etc.?

Smart contracts typically don't involve regulated data types. Contact us if you have specific compliance requirements.

Authentication

What authentication methods are available?

Method Description
Email/password Standard authentication
Google OAuth Sign in with Google
GitHub OAuth Sign in with GitHub
Microsoft OAuth Sign in with Microsoft
Web3 wallet MetaMask, WalletConnect (SIWE)
SSO/SAML Enterprise single sign-on

Is 2FA available?

Yes. Enable two-factor authentication:

  1. Go to SettingsSecurity
  2. Click Enable 2FA
  3. Scan QR code with authenticator app
  4. Enter confirmation code

What about SSO?

Enterprise plans support:

  • SAML 2.0
  • OpenID Connect
  • Okta, Azure AD, Google Workspace
  • Custom IdP integration

API Security

How are API keys secured?

  • Keys are hashed (not stored in plain text)
  • Shown only once at creation
  • Can be scoped with minimal permissions
  • Support expiration dates
  • IP allowlisting available (Enterprise)

What permissions can API keys have?

Granular scopes:

  • contracts:read, contracts:write
  • scans:read, scans:write
  • vulnerabilities:read, vulnerabilities:write
  • organizations:read, organizations:write
  • And more...

How do I rotate API keys?

  1. Create new key with same permissions
  2. Update applications to use new key
  3. Verify functionality
  4. Revoke old key

We recommend rotating production keys every 90 days.

Network Security

Is data encrypted in transit?

Yes. All connections use:

  • TLS 1.3
  • Strong cipher suites
  • HSTS enabled
  • Certificate pinning (mobile)

What IPs does BlockSecOps use?

Webhook and API callback IPs:

52.45.123.0/24
54.87.234.0/24

Enterprise plans receive dedicated IP ranges.

Do you support VPN/private connectivity?

Enterprise plans can use:

  • AWS PrivateLink
  • VPN tunnels
  • Direct Connect

Scanning Security

Is scanning isolated?

Yes. Each scan runs in:

  • Isolated container
  • Separate network namespace
  • Limited resources
  • Auto-terminated after completion

Can contracts be executed during scanning?

Scanners analyze code statically and symbolically. For fuzz testing (Echidna, Medusa):

  • Runs in sandboxed environment
  • No network access
  • No persistent state
  • Cannot affect external systems

What about malicious code in uploads?

Uploads are:

  • Scanned for known malware patterns
  • Sandboxed during analysis
  • Never executed on host systems
  • Quarantined if suspicious

Incident Response

What happens if there's a breach?

Our incident response includes:

  1. Immediate containment
  2. Investigation and root cause
  3. Customer notification (within 72 hours for GDPR)
  4. Remediation
  5. Post-incident review

How do I report a security issue?

Report security vulnerabilities to:

  • Email: [email protected]
  • Response: Within 24 hours
  • Bug bounty: Available for qualifying issues

Is there a bug bounty program?

Yes. We reward responsible disclosure:

  • Critical: Up to $10,000
  • High: Up to $5,000
  • Medium: Up to $1,000
  • Low: Recognition

Contact [email protected] for details.

On-Premise

Can I run BlockSecOps on my infrastructure?

Yes, Enterprise plans offer:

  • On-premise deployment
  • Private cloud hosting
  • Air-gapped environments
  • Full data control

What are the requirements?

On-premise requires:

  • Kubernetes cluster (1.25+)
  • 8+ CPU cores, 32GB+ RAM
  • 100GB+ storage
  • Network access for updates (or air-gap package)

Contact sales for detailed requirements.

Vendor Security

How do you vet third-party tools?

Scanners are:

  • Open source and auditable
  • Run in isolated containers
  • Cannot access customer data
  • Regularly updated and patched

What about supply chain security?

We implement:

  • Signed container images
  • SBOM (Software Bill of Materials)
  • Dependency scanning
  • Regular security audits

Next Steps