Security & privacy

What we process

When you run an audit, the PAN-OS XML is parsed entirely in your browser by our open-source audit engine. The file is never uploaded to our servers. After the in-browser analysis completes, your browser posts only the following summary to Crevix:

• • Device hostname (used on your dashboard)
• • File name & PAN-OS version
• • Posture score and counts per severity
• • Timestamp

This lets us enforce your monthly quota and show your audit history — without ever seeing rule names, IP addresses, admin accounts or any configuration content.

Account data

We store only what is necessary to provide the service:

• • E-mail address (for login, billing and notifications)
• • Full name and optional company
• • Password — stored only as a bcrypt hash with per-user salt
• • Plan, quota usage and last-login timestamp

Technical controls

• • HTTPS-only in production, HSTS enforced
• • Content Security Policy restricting script & connect origins
• • Session cookies are httpOnly, sameSite=lax and secure
• • Passwords hashed with bcrypt (cost factor 12)
• • Rate limiting on sign-up and login endpoints

Your rights (GDPR)

As a data subject under GDPR you can request export or deletion of your personal data at any time by e-mailing privacy@crevix.io. We respond within 30 days.