Security at PostQ
We build security infrastructure — so our own security practices must be exemplary. Here’s how we protect your data and systems.
Scanner Data & Privacy
The free domain scanner inspects only the public metadata exposed during a normal TLS handshake. We never ask for, upload, or store private keys.
No private key upload required
External scans read certificate metadata, TLS versions, ciphers, and the negotiated key exchange. We only inspect public metadata unless an authenticated integration (cloud KMS, Kubernetes) is explicitly configured, and even then we read key metadata and usage — never private key material.
What we collect during a scan
The scanned domain, certificate chain fields (subject, issuer, algorithms, expiry, fingerprints), TLS version support, negotiated cipher and key exchange, and the derived findings and readiness score. The basic external scan requires no signup.
SSRF protections
The scanner resolves the target and refuses to connect to private, loopback, link-local, or otherwise reserved addresses. Only public hosts on port 443 are scanned.
Storage & deletion
Shareable report links encode the scanned domain so reports can be re-generated on demand. Saved scan history (paid plans) is scoped to your organization and can be deleted at any time; see Data Handling below.
Infrastructure Security
Encryption in Transit
All connections to PostQ are encrypted with TLS 1.3. We enforce HTTPS everywhere and support post-quantum key exchange (X25519Kyber768) where available.
Encryption at Rest
All data is encrypted at rest using AES-256. Database backups and file storage are encrypted with keys managed through dedicated key management infrastructure.
Network Isolation
Production systems run in isolated network segments with strict firewall rules. Internal services communicate over private networks and are not exposed to the public internet.
Application Security
Authentication
We support email/password authentication and OAuth (Google, GitHub). All passwords are hashed with bcrypt. Sessions are managed with short-lived tokens and automatic expiration.
Authorization
Row-level security (RLS) policies enforce data isolation between organizations. Role-based access control (owner, admin, member, viewer) governs what actions users can perform within each organization.
API Security
API keys are hashed before storage. All API endpoints enforce authentication and rate limiting. Input validation prevents injection attacks. CORS policies restrict cross-origin access to authorized domains.
Data Handling
Scan Data Isolation
Scan results are scoped to your organization and are never shared with other users or organizations. We do not use customer data to train models or for any purpose beyond providing the Service.
Data Residency
PostQ infrastructure is hosted in the United States. Enterprise customers can request specific data residency configurations.
Data Deletion
You can delete scan results, assets, and policies at any time. Account deletion removes all personal data within 30 days. Backups are purged on a rolling 90-day schedule.
Development Practices
- All code changes go through peer review before merging
- Dependencies are automatically scanned for known vulnerabilities
- Secrets are never committed to version control — managed via environment variables and vault systems
- We follow the principle of least privilege for all system access
- Production deployments are automated with immutable infrastructure
Standards & Compliance
Reporting a Vulnerability
If you discover a security vulnerability in PostQ, please report it responsibly. Email info@postq.dev with a description of the issue. We will acknowledge receipt within 24 hours and aim to resolve critical issues within 72 hours.
We do not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.
Questions about our security?
Reach out to our security team for questions, reports, or enterprise compliance documentation.