Back to Home

Security & Audits

Transparency in our security practices, independent audits, and our commitment to protecting your data.

Latest Security Audit

Audit Date

January 2026

Auditor

Independent Security Firm

Critical Findings

0

Status

✓ All Issues Resolved

Our annual penetration test was completed in January 2026. All findings categorized as Medium severity were immediately remediated and verified by the audit team.

Infrastructure Security

AWS VPC with Private Subnets

All infrastructure runs in isolated Virtual Private Cloud with network segmentation and strict security group rules.

  • ✓ Private database subnets (no public access)
  • ✓ Network ACLs for additional layer of security
  • ✓ VPC Flow Logs enabled for monitoring

WAF & DDoS Protection

AWS Web Application Firewall and Shield protect against common web exploits and distributed denial of service attacks.

  • ✓ SQL injection prevention
  • ✓ XSS attack blocking
  • ✓ Rate limiting per IP

Database Encryption

All data encrypted at rest using AES-256 encryption with automated key rotation.

  • ✓ RDS encryption enabled
  • ✓ Automated backup encryption
  • ✓ AWS KMS key management

TLS 1.3 Encryption

All communications encrypted in transit using latest TLS 1.3 protocol with strong cipher suites.

  • ✓ SSL/TLS certificates auto-renewed
  • ✓ HTTP Strict Transport Security (HSTS)
  • ✓ Perfect forward secrecy

Intrusion Detection

24/7 monitoring with automated alerts for suspicious activities and security events.

  • ✓ AWS GuardDuty threat detection
  • ✓ CloudWatch log analysis
  • ✓ Automated incident response

Regular Security Patches

Automated security patching with monthly updates to all system components.

  • ✓ Automated OS patching
  • ✓ Dependency vulnerability scanning
  • ✓ Container image updates

Vulnerability Disclosure Program

Active Bug Bounty Program

We believe in responsible disclosure and collaborate with security researchers to identify and fix vulnerabilities before they can be exploited.

How to Report

  1. 1.Email security findings to security@checkappsec.com
  2. 2.Include detailed reproduction steps and impact assessment
  3. 3.Allow us 90 days for remediation before public disclosure
  4. 4.Receive acknowledgment within 24 hours

Reward Structure

Critical

Remote code execution, data breach

$1,000 - $5,000

High

Authentication bypass, SQL injection

$500 - $1,000

Medium

XSS, CSRF, information disclosure

$100 - $500

Hall of Fame: Researchers who report valid security issues will be acknowledged on our security hall of fame (with permission).

Incident Response Plan

24/7 Security Operations

<1 hour

Detection & Alert

<4 hours

Containment

<24 hours

Eradication

5 days

Post-Incident Report

Phase 1: Detection (0-1 hour)

Automated monitoring alerts → 24/7 SOC notification → Incident classification → Stakeholder notification

Phase 2: Containment (1-4 hours)

Isolate affected systems → Preserve evidence → Customer notification (if required) → Prevent spread

Phase 3: Eradication (4-24 hours)

Root cause analysis → Vulnerability patching → System hardening → Verification testing

Phase 4: Recovery (24-48 hours)

Service restoration → Enhanced monitoring → Customer communication → Documentation

Security Team & Certifications

Our security team brings decades of combined experience in application security, penetration testing, and compliance.

CISSP Certified

Certified Information Systems Security Professional

CEH Certified

Certified Ethical Hacker

OSCP Certified

Offensive Security Certified Professional

Cyber Insurance Coverage

We maintain $5 million in cyber liability insurance coverage, protecting our customers against data breaches, cyber attacks, and security incidents.

$5M

Coverage Limit

24/7

Incident Response

Legal

Defense Included

Report a Security Issue

If you discover a security vulnerability, please email us immediately. We take all reports seriously and respond within 24 hours.

Trust Center•Compliance•Privacy Policy

Last Updated: February 28, 2026