PentestAI
PentestAI

Data Handling & Trust

Last updated: April 28, 2026

PentestAI is built by security professionals, for security professionals. This page summarizes how we handle your data and the security controls we operate.

Data Storage

Your account data and conversation history are stored in a PostgreSQL database hosted on infrastructure in the European Union. Backups are encrypted at rest. We do not replicate your data across regions without notice.

No Training on Your Data

We do not use your conversation data to train AI models. Anthropic, as our LLM provider, retains API request data for up to 7 days for safety and abuse monitoring purposes, after which it is deleted. They do not use API data for model training. See Anthropic’s usage policy at anthropic.com/policies/usage for the current retention terms.

Transmission Security

All communication between your browser and our servers is encrypted using TLS 1.2+. API calls to Anthropic are also made over TLS. Session cookies are flagged HttpOnly, Secure, and SameSite=Lax in production to mitigate XSS and CSRF risks.

Authentication Security

Passwords are hashed with Argon2id (memory-hard). Session tokens are HS256 JWTs with a configurable TTL. A session_version integer on each user row enables instant global session invalidation (logout-all-devices) without a token blocklist.

Access Controls

Conversation data is isolated per user — no user can access another user’s conversations. All authenticated endpoints enforce email verification and ToS acceptance before allowing AI usage. Rate limiting is applied to all endpoints.

Spend Cap & AI Usage Controls

Each user has a weekly AI spend cap enforced server-side via atomic database locks. The per-user cap prevents runaway costs and limits potential abuse. Spend is tracked in a tamper-evident ledger (one row per AI call).

Data Retention

Your account and conversation data is retained as long as your account is active. You may request deletion of your account and all associated conversation history by emailing security@pentest-ai.example with subject “Account Deletion Request”. We will process deletion requests within 30 days.

Incident Response

We will notify affected users within 72 hours of discovering a data breach as required by GDPR. Security incidents are logged and reviewed by the engineering team.

Responsible Disclosure

Found a vulnerability? We welcome responsible disclosure from the security community.

Email: security@pentest-ai.example

Please include a detailed description of the vulnerability, steps to reproduce, and your assessment of impact. We aim to acknowledge reports within 24 hours and provide a fix timeline within 5 business days for critical issues.

We commit to: (1) not pursuing legal action against good-faith researchers, (2) keeping your report confidential until a fix is deployed, and (3) crediting you in our release notes (if desired).

Questions

For security questions or vulnerability reports, contact security@pentest-ai.example.

For privacy or data handling questions, contact privacy@pentest-ai.example.