Security
Have I Been Squatted generates permutations, checks registration and certificate transparency (CT) data, and enriches findings with DNS, HTTP, Registration Data Access Protocol (RDAP), and related signals. Organizations rely on that pipeline for typosquatting detection, impersonation risk, and evidence for response workflows, which raises the bar for confidentiality, integrity, and proportionate handling of monitored terms and account metadata.
Approach to risk and data handling#
Security work is treated as a product discipline, not a separate checklist layer. Data is classified by sensitivity, access paths are narrow by default, and retention follows business need rather than open-ended collection. Exact categories, residency detail, and control mapping sit in the Trust Center so they stay aligned with assessments and questionnaires. Formal control statements for classification and retention appear under data and privacy; the full index is Trust Center controls.
Infrastructure#
Primary compute, storage, and data processing run on Amazon Web Services (AWS), including object storage, databases, serverless functions, queues. Time-series and relational monitoring data are stored in Tiger Cloud (TigerData). The website and application experience is deployed on Vercel. Public traffic is routed through edge layers that provide denial-of-service protection, web application firewall (WAF) inspection, and caching before traffic reaches application origins. Amazon CloudFront is used in front of selected API and asset paths for TLS (Transport Layer Security) at the edge, caching, and geographic distribution. Authoritative DNS for site domains is managed outside the application stack. Related Trust Center material is grouped under infrastructure security.
Data residency#
Customer data that the product persists for monitoring, alerting, and billing is stored and processed in the United States. It is not replicated to additional regions for long-term storage. Edge caching and request routing may touch global points of presence for latency and availability; durable databases and application processing for customer content remain US-based. Residency and retention sit with the broader data program in data and privacy.
Encryption#
TLS 1.2 or higher is required for data in transit, with TLS 1.3 preferred across the dashboard, APIs, and webhooks. Data at rest uses AES-256 for object stores, databases, and attached volumes where the cloud provider applies it by default or via customer-managed keys as configured. Backup objects are encrypted before write. HTTP requests redirect to HTTPS, and strict transport security (HSTS) is set with a long max-age to reduce downgrade risk. Trust Center coverage for stored data and keys appears under infrastructure security; coverage for data in transit over public networks appears under product security.
Backups & recovery#
Primary data stores are backed up on an automated schedule. Point-in-time recovery (PITR) is enabled on supported databases so restores can target a second inside the retention window. Restore drills are run on a periodic basis to validate backup integrity. Recovery time objective (RTO) and recovery point objective (RPO) targets are revisited as part of incident planning. Business continuity, disaster recovery, and related operating discipline are documented under internal security procedures.
Application security#
End-user authentication is delegated to Clerk: credentials and sessions are handled by that provider rather than a custom password store in the application database. Multi-factor authentication (MFA), including phishing-resistant factors where supported, is available, and enterprise customers can use single sign-on (SSO) via standard identity protocols. Inside the product, role-based access control (RBAC) scopes dashboard and API actions; authorization is enforced on the server for every request, and client state is never the sole control.
All code changes go through peer review. Infrastructure is defined as code for reviewable, repeatable environments. Automated dependency scanning runs on pull requests and on a schedule; patches for critical and high-severity issues are prioritized within the normal release cycle. New services receive the minimum cloud permissions required. Secrets are never committed to source control.
Authenticated APIs use rate limiting at the edge and in application logic where applicable. Inputs are validated at API boundaries before they reach downstream systems. Webhook deliveries are signed so consumers can verify authenticity. Control self-assessments, secure transmission expectations, and product-facing security work are listed under product security; systems development life cycle and change governance appear under internal security procedures.
Access controls#
Production access is limited to staff whose role requires it, following least privilege. Development and production accounts are separated to reduce cross-environment mistakes. Access to cloud administration uses strong authentication, including phishing-resistant MFA where the provider supports it. Infrastructure changes and data access paths are logged for audit. When employees or contractors leave, access is revoked through a standard checklist, with credential rotation where per-user revocation is not available. Trust Center coverage spans infrastructure security (production system access and authentication) and organizational security (people, endpoints, and workforce expectations).
Sub-processors#
Third parties that process personal or service data on behalf of Have I Been Squatted are onboarded under contract, with access scoped to what each integration requires. The live catalog, including vendor role and geography, is maintained in the Trust Center so it stays aligned with questionnaires and data processing agreements. For the most up-to-date list, see Trust Center subprocessors.
Customer notification#
If a security incident results in unauthorized access to customer data, affected organizations are notified promptly, with a description of what happened, which data classes were involved, and what remediation is underway, consistent with applicable breach-notification and privacy law (including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) where they apply). Related operating and governance controls are summarized under internal security procedures.
Business continuity#
Critical services are deployed across multiple AWS Availability Zones so a single-zone failure does not take down the core data plane. Edge-hosted web traffic and CDN-backed assets improve resilience when an origin region is degraded. Backups and point-in-time recovery provide a path to a recent known-good state after corruption or operator error. Recovery procedures are exercised on a schedule so RTO and RPO targets stay realistic. Formal business continuity and disaster recovery plans appear under internal security procedures.
Responsible disclosure#
Coordinated disclosure from security researchers reduces harm across the internet. If a vulnerability is suspected in the Have I Been Squatted platform, report it responsibly rather than through public channels.
Send mail to [email protected] with a clear description, steps to reproduce, and the assessed impact. The security team aims to:
- acknowledge the report within 2 business days;
- provide an initial triage assessment within 5 business days;
- keep the reporter informed during investigation and remediation.
Please do not publish details until there has been a reasonable window to fix the issue. Good-faith research under these guidelines will not be met with legal retaliation.
There is no public bug bounty program at this time. Credit is offered to contributors who want their names included.
Contact#
For vulnerability reports, use [email protected]. For vendor security assessments, engagement letters, and data processing agreements, use the Trust Center. For control-by-control evidence, use Trust Center controls (for example infrastructure security, organizational security, product security, internal security procedures, and data and privacy). For the authoritative subprocessor list, see Trust Center subprocessors. Privacy questions belong in the Privacy Policy.