Security
How we handle your data and the sites we scan — with honesty and care.
How we scan
AgentVeris makes read-only HTTP requests to publicly accessible URLs on the sites you scan. We fetch your homepage, robots.txt, sitemap, UCP manifest, and up to 10 product page links. We do not interact with any login flows, checkout processes, or authenticated pages. We do not execute JavaScript on target sites.
What we store
We store the scan results: the URL you submitted, the scores, and the individual check results. We do not store the full HTML of your pages. If you're not logged in, anonymous scan results are automatically purged after 30 days. Logged-in users retain their scan history until they delete their account.
What we don't collect
We do not collect credentials, payment information, or personal data about your customers. We do not set cookies on the sites we scan. We do not share scan results with third parties. We do not sell data.
Infrastructure
AgentVeris runs on Railway (API, worker, and PostgreSQL database) in the US region, and Vercel (frontend CDN). Data at rest is encrypted. All API traffic is served over HTTPS. Authentication uses JWT tokens with short expiry and refresh rotation.
Responsible disclosure
If you discover a security vulnerability in AgentVeris, please contact us with the subject "Security Disclosure". We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days. We appreciate responsible disclosure and will credit researchers who report valid findings.