ShipSafer Security & Trust
We run every scan on ourselves. The certifications below are issued and continuously re-verified by the ShipSafer platform — the same way we certify our customers.
Certifications
Live-verified at shipsafer.ai/trust/shipsafer.ai
Verified Secure
HTTP security headers, SSL/TLS, cookie policies, CORS, and CSP pass automated checks on every deploy.
Since Jan 2025
GDPR Compliant
Data minimisation, right-to-erasure, DPA-compliant processing, and explicit consent for all cookies.
Since Jan 2025
SOC 2 Ready
Security, availability, and confidentiality controls documented and tested. Audit logs for 12 months.
Since Jan 2025
GenAI Security Certified
OWASP LLM Top 10 mitigations — prompt injection, jailbreak, output injection, and model integrity.
Since Jan 2025
EU AI Act Ready
Risk classification documented, human oversight in place, AI transparency disclosures published.
Since Jan 2025
ISO 42001 Aligned
AI Management System controls per ISO/IEC 42001:2023 — risk assessments, model governance, monitoring.
Since Feb 2025
HIPAA Ready
Access controls, audit logs, encryption at rest and in transit, minimum-necessary data access.
Since Feb 2025
PCI-DSS Ready
No card data stored. Payment processing via Stripe (PCI-DSS Level 1). SSL, CORS, and CSP enforced.
Since Feb 2025
Highly Secure
Headers, SSL, cookies, CORS, and CSP enforcement in the top tier. Re-verified on every deployment.
Since Jan 2025
Full Stack Certified
Frontend, backend, GenAI, DevOps, and compliance controls independently verified — top-tier tier.
Since Mar 2025
Security Controls
Encryption
- TLS 1.3 in transit
- AES-256 at rest
- Backups encrypted separately
- bcrypt for credentials
Access Control
- Role-based permissions
- HTTP-only JWT cookies
- 7-day session expiry
- Admin actions logged
Monitoring
- Structured audit logs
- 12-month log retention
- Login anomaly detection
- PII-scrubbed telemetry
CI/CD Security
- Secrets scan on every push
- Dependency vuln scanning
- Review-gate for production
- IaC reviewed pre-apply
Infrastructure
- Vercel (SOC 2 Type II)
- MongoDB Atlas (ISO 27001)
- Upstash Redis (SOC 2)
- Vercel Edge CDN
Network Security
- WAF on all endpoints
- Rate limiting per user
- CORS strict-origin policy
- CSP enforced headers
Data Handling
- No advertising/tracking
- 90-day scan retention
- Right-to-erasure (GDPR)
- DPA-bound sub-processors
Vulnerability Disclosure
- security@shipsafer.ai
- 48h acknowledgement SLA
- 30-day resolution target
- Safe harbour for researchers
Privacy & Data
Your Data Rights
Export, correct, or delete your data at any time directly from your account settings.
Manage in settingsVulnerability Disclosure
Report security issues to security@shipsafer.ai. We acknowledge within 48 hours.
Email usSub-processors
Third-party services used to deliver ShipSafer. All are contractually bound to our data protection standards.
| Provider | Purpose | Location | Certification | Privacy |
|---|---|---|---|---|
| Vercel | Hosting & CDN | US / EU | SOC 2 Type II | View |
| MongoDB Atlas | Database | US / EU | ISO 27001, SOC 2 | View |
| Upstash | Redis — rate limiting & cache | US / EU | SOC 2 | View |
| Stripe | Payment processing | US | PCI-DSS Level 1 | View |
| OpenRouter | AI model routing | US | SOC 2 (in progress) | View |
| Resend | Transactional email | US | SOC 2 | View |
Get your product certified too
Run ShipSafer on your domain, repository, or cloud account and issue the same trust certificates to show customers you take security seriously.