Security

Security & compliance

How we handle data, what we expect from customers, and where to report vulnerabilities.

Data location

Slate Security, Inc. is a U.S.-based company. Customer account data, scan configuration, targets, and findings are hosted and processed in the United States.

If you need customer data and infrastructure hosted in a different region—for example, the EU— contact us to discuss options.

What we store

  • Account and workspace membership
  • Target URLs and scan authorization consent records
  • Scan status, logs, and security findings
  • Billing metadata via Stripe (payment details stay with Stripe)
  • API key hashes (not plaintext secrets)

Authorized scanning only

You may only scan systems you own or are explicitly permitted to test. The product requires acknowledgment of authorization when adding targets in the dashboard. Misuse violates our Terms of Use and may result in account suspension.

API keys

Treat API keys like passwords. Rotate keys periodically, revoke unused keys, and store them in CI secret managers—not in repositories.

Compliance framing

Slate helps teams find common web and API misconfigurations to support SOC 2, PCI DSS, HIPAA, and ISO 27001 programs. Scan results are inputs to your security process, not a certification by themselves.

More detail

See the full Security page for principles, frameworks, and responsible disclosure. Legal terms: Privacy Policy, Terms of Use.