Trust Center

How SQUR earns your trust

How SQUR operates safely, validates findings, protects data, and supports compliance. Everything your security team and auditors need before signing.

EU-Hosted Data Verified Findings Only 24h SLA Free Retest Included

Security Commitments

Core principles that govern how SQUR's autonomous agents operate on every engagement.

Scoped Testing Only

SQUR operates strictly within authorized targets and scope definitions. Testing never extends beyond what you have explicitly authorized. Out-of-scope assets are automatically excluded.

Rate Limits & Controlled Execution

All automated activity is rate-limited to prevent service disruption. Testing uses non-destructive techniques with configurable throttling. Production environments can specify additional safeguards.

Verified Findings Only

Every reported vulnerability is actively exploited and confirmed by SQUR's AI agents before appearing in your report. If we can't prove it's real, we don't report it.

No DoS, No Data Exfiltration

SQUR never attempts denial-of-service attacks or exfiltrates real data. When exploitation is needed to confirm a finding, it uses synthetic payloads in isolated test conditions.

Full Audit Trail

Every action taken during a pentest is logged with timestamps, reasoning, and evidence. Viewable in your dashboard and included in the final report for complete transparency.

Free Retest Included

After you remediate findings, retest for free to confirm vulnerabilities are resolved. The evidence loop closes - one test price covers the full fix-verify cycle.

Compliance Framework Coverage

SQUR reports are structured to provide evidence supporting the security testing requirements within common compliance frameworks. We provide mapped evidence - we do not claim certification ourselves.

Reports mapped to: ISO 27001 SOC 2 GDPR NIS2 DORA BSI CRA
Framework Relevant Control SQUR Evidence Provided Coverage
ISO 27001:2022 Annex A 8.8 - Technical vulnerability management Timestamped pentest report, verified findings, remediation evidence ✓ Supported
SOC 2 Type II CC7.1 - Logical & physical access controls; CC9.2 - Risk management Penetration test evidence, vulnerability disclosure, retest confirmation ✓ Supported
DORA (Article 24) Resilience testing programme including penetration testing Comprehensive test report, exploited findings list, remediation evidence ✓ Supported
NIS2 Article 21 - Cybersecurity risk-management measures Vulnerability assessment, severity ratings, remediation guidance ✓ Supported
GDPR (Article 32) Technical security measures appropriate to risk Security testing evidence demonstrating proactive risk management ✓ Supported
CRA (Cyber Resilience Act) Essential cybersecurity requirements for digital products API and web application security testing evidence ~ Partial

Our Certification Posture

We are actively working toward ISO 27001 and SOC 2 Type II certification. We will publish audit dates once they are committed. In the meantime, our reports are structured to support customers pursuing these frameworks, and the controls below are in active day-to-day operation.

Ongoing

GDPR Article 25 Privacy by Design

ACTIVE
Ongoing

Annual External Penetration Test

ACTIVE

Data Handling & Privacy

We minimize what we collect, protect what we store, and give you clear data retention controls.

Data Residency

  • All customer data stored in EU cloud regions (europe-west1, Belgium)
  • No data transferred outside the EU/EEA without explicit consent
  • GDPR-compliant data processing agreements available on request

Encryption

  • In transit: TLS 1.2+ enforced on all connections
  • At rest: AES-256 managed encryption (Google Cloud KMS)
  • Credentials and tokens stored separately from report data

Retention & Deletion

  • Test data retained for a limited period after test completion
  • Reports available for download during retention window
  • Data deletion on request
  • No sale of customer data to third parties

Access Control

  • Role-based access control within customer accounts
  • Least-privilege internal access to customer data
  • All internal access to production systems logged and audited
  • Multi-factor authentication required for all SQUR staff accessing production

Platform Security

SQUR is built and operated with security-by-default. We eat our own cooking.

Secure SDLC

SQUR's own platform is continuously tested using SQUR. Code changes go through automated security analysis, dependency scanning (Snyk, Dependabot), and SAST before deployment.

Infrastructure Security

Hardened container runtime. Network-level segmentation between customer environments. Strict content security policies. No shared compute between customers during active tests.

Vulnerability Management

Critical vulnerabilities patched within 24 hours. High severity within 7 days. Dependency updates on weekly automated schedule. Penetration testing of SQUR infrastructure conducted annually.

Incident Response

Defined incident response process with escalation paths. Customer notification within 72 hours for any data incidents, as required by GDPR Article 33. Post-incident reports available on request.

Service Levels

Our operational commitments on every engagement.

24h
Pentest Delivery SLA Standard engagements delivered within 24 hours of target configuration. Large or complex scopes may require up to 48 hours.
0
Verified Findings Only Every reported finding is confirmed exploitable through dual-AI verification. Unverified potential issues are not included in reports.
Free
Retest Included Free retest on all findings from every engagement. No additional charge to verify your fixes are effective.
EU
Data Residency All data stored in Belgium (europe-west1). Customer data stored in EU. Some operational telemetry may be processed by EU-compliant sub-processors.
High
Platform Availability Planned maintenance communicated in advance. Enterprise SLAs available on request.

Enterprise SLAs with formal commitments and penalties available on request. Contact sales@squr.ai.

Responsible Disclosure

We welcome good-faith security research and follow a coordinated disclosure process.

Report a Security Issue

Email security@squr.ai with a description of the vulnerability, steps to reproduce, and your assessment of impact. We respond to all reports within 5 business days.

In scope: squr.ai, app.squr.ai, and any SQUR-operated infrastructure.
Out of scope: Social engineering, physical attacks, volumetric DoS, and issues in third-party services we use.

We do not pursue legal action against researchers acting in good faith. We ask that you do not publicly disclose before we have had 90 days to investigate and remediate.

Our /.well-known/security.txt and PGP key will be published here. In the meantime, email the address above.

Frequently Asked Questions

Yes. SQUR uses non-destructive techniques, strict rate limits, and scoped execution. For sensitive production environments, you can specify a testing window and additional throttling. We never execute DoS techniques or exfiltrate real production data.
Every finding SQUR reports has been actively exploited during the test, then independently re-verified by a separate verification agent before it is added to the report. Our AI agents attempt real exploitation - not pattern-matching or keyword scanning. If exploitation cannot be reproduced, the finding is discarded. Every reported finding includes a proof-of-exploit and a reproduction script.
SQUR stores your target configuration, test results, and generated reports. We do not collect or retain actual production data. Test payloads use synthetic data. All stored data is encrypted at rest and in transit, and retained for a limited period.
Yes. SQUR reports are structured to provide evidence supporting the technical vulnerability management controls in ISO 27001 (Annex A 8.8) and SOC 2 (CC7.1). SQUR reports are designed to be accepted as evidence of penetration testing. See the compliance table above for full framework coverage.
Third-party security assessments and external audits are in progress. We'll publish attestation letters and certification status here when available. SQUR's platform is continuously self-tested using SQUR itself, and our development process follows secure SDLC practices.
After you remediate findings from a pentest, you can trigger a free retest against the same scope. SQUR re-runs the same attack sequences against fixed vulnerabilities to confirm they're resolved. Retest results appear in your dashboard and are downloadable as an addendum to the original report.
All customer data is stored in Google Cloud's europe-west1 region (St. Ghislain, Belgium). Data does not leave the EU/EEA. GDPR-compliant data processing agreements are available on request.

Trusted by security-conscious teams

Ready to see verified results?

Start your first pentest today. Results in 24 hours, compliance-ready reports, free retest included.

Get Started Free Book a Demo