Trust Center

Security & Trust

KompWatch is a small team that ships fast. That means we publish our security practices openly so you can vet us before you put a credit card on file — not after a sales call.

Last updated: May 7, 2026

Data practices

How customer data is stored, transmitted, and accessed.

Encryption in transit

All traffic to kompwatch.com is served over TLS 1.2+. HSTS is enabled. Magic-link emails are sent over authenticated SMTP (Resend) with TLS.

Encryption at rest

The PostgreSQL database is encrypted at rest using AES-256 disk encryption. Snapshots and screenshots stored in object storage are encrypted server-side.

Authentication

Magic-link sign-in only — no passwords to leak or reuse. Sessions are signed JWTs with conservative expiry. Stripe handles all payment authentication.

Access controls

Production database access is limited to a small number of engineers and audited. No customer support staff have direct database access. All admin operations go through the application layer.

Network isolation

The production database is not publicly reachable. Application servers connect over a private network. SSH access requires a key from the engineering team.

Backups

Daily encrypted database snapshots with a 14-day retention window. Snapshots are tested quarterly. Backups are stored in a separate region from primary data.

Subprocessors

Third-party services that process customer data on our behalf. We update this list whenever it changes — bookmark or subscribe to the changelog for material updates.

  • Stripe
    Payment processing, subscription billing, and invoices.
    Privacy policy →
  • Resend
    Transactional email delivery — magic links and digests.
    Privacy policy →
  • Anthropic
    AI-powered analysis of competitor page changes (Claude API). Only competitor page content is sent — no customer-identifying data.
    Privacy policy →
  • Plausible Analytics
    Privacy-focused, cookieless website analytics. No personal data is transmitted.
    Privacy policy →
  • Coolify (self-hosted)
    Deployment platform running on dedicated hardware. KompWatch infrastructure is not multi-tenant with other vendors.
    Privacy policy →

Responsible disclosure

Found a security issue? Please report it privately so we can investigate and ship a fix before it becomes public.

Please do

  • Email security@kompwatch.com with reproduction steps and impact.
  • Give us a reasonable window (typically 30 days) before public disclosure.
  • Use a test account on the free plan — don't test against paying customer data.

Please don't

  • Run automated scanners that generate significant traffic.
  • Access, modify, or exfiltrate data that isn't yours.
  • Perform denial-of-service or social-engineering attacks.

We don't run a paid bounty yet, but we'll publicly credit researchers who report valid issues in good faith.

FAQ

Do you have SOC 2?

Not yet. SOC 2 Type I is on the roadmap once we exit early-access pricing. Until then, we publish our security practices openly here so prospects can vet us directly. If you need a vendor security questionnaire completed, email security@kompwatch.com.

Are you GDPR compliant?

Yes. We act as a data processor for the customer data you provide (your account email, the competitor URLs you configure). EU residents can exercise rights under GDPR — access, deletion, portability — by emailing privacy@kompwatch.com. A Data Processing Addendum is available on request.

What competitor data do you actually collect?

Public web pages only. KompWatch fetches the URLs you configure as a normal HTTP client (or via headless Chromium) and stores the resulting HTML and screenshots. We respect robots.txt and never scrape gated content.

Can other customers see my competitor list?

No. Competitor lists, snapshots, and digests are scoped per-account at the database level. Internal admin tooling can view metadata for support purposes but is logged.

How long do you retain my data?

While your account is active, we retain snapshots and changes to power your historical timeline. If you cancel, account data is hard-deleted within 30 days unless you request immediate deletion. Logs are retained for 90 days.

Where is data hosted?

EU (Hetzner, Germany) on dedicated hardware managed via Coolify. Backups are stored in a separate region. No data is hosted in the United States.

Need a vendor security questionnaire completed?

We'll fill out CAIQ, SIG-Lite, or your custom form. Most companies hear back within two business days.

Email security@kompwatch.comRead the privacy policy