Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Trust Center

Security posture, in writing.

Everything procurement asks for — compliance program, data handling, subprocessors, disclosure — published here before you ask.

Read the DPA Read the Privacy Policy

Authorization to test

Pentrova actively probes the systems you point it at, so we enforce proof of ownership before a scan can run. You verify control of a target’s domain first; only verified domains can be scanned. This is a hard product control, not a checkbox. The full terms — your ownership warranty, permitted scope, and indemnity — are published in the Terms of Service.

  • Verified ownership

    Prove you control a target’s domain by DNS TXT record, file upload, or HTML meta tag — the same pattern as common webmaster tools. Verification is scoped to your account and cannot be claimed by another.

  • No verification, no scan

    Scans run only against verified domains. A request to scan an unverified target is rejected before any traffic is sent. This is separate from our safety blocklist for internal and reserved network ranges.

  • Audit trail

    Pentrova records which account verified which domain, by what method, and when each scan ran against which target — so the authorisation behind a scan can be evidenced if a target owner ever raises a question.

Compliance posture

This section covers Pentrova’s own posture as your vendor. For the report-output feature — every customer engagement ships a compliance-mapped report with findings tagged to PCI DSS, ISO 27001, HIPAA, and GDPR controls — see /solutions/compliance.

Pentrova is built against the ISO/IEC 27001:2022 control set and processes customer data as a GDPR data processor. Independent audits run on the schedule below; we will not claim a certification we do not yet hold. The Data Processing Addendum is published at /legal/dpa.

  • ISO 27001

    Not yet certified · program in build

    Pentrova is a new company building its security program against ISO/IEC 27001:2022. We are not yet certified and do not claim to be. Once a registrar engagement is signed, the audit timeline and certification status will be published on this page.

  • GDPR

    Day-one design

    Pentrova acts as a data processor under GDPR. Our DPA incorporates Article 28 obligations, SCCs for third-country transfers, and documented breach-notification timelines. The subprocessor categories we rely on are described in our Privacy Policy.

Data handling, retention, and deletion

Pentrova is designed so customer data stays inside an encrypted boundary and is never exposed without an explicit run or export action. The specific safeguards, retention windows, and regions are committed contractually in the DPA and order form before any engagement begins.

  • Encryption by design

    Data is encrypted at rest and in transit, with modern cipher suites and per-customer key scoping. The exact cryptographic and key-management details are documented for evaluators during procurement and committed in the DPA.

  • Retention windows

    Pentrova retains pentest evidence and audit logs for the window specified in your order form. Retention rules become contractual on signature of the DPA and master agreement, scoped per engagement.

  • Deletion on request

    Customers can request deletion of workspace data at any time. Deletion propagates through primary storage, backups, and search indices within the window committed in the DPA.

Catalog coverage

Every Pentrova engagement runs against the same catalogs documented below. Coverage grows with the platform, not with the engagement clock.

  • Curated escalation chain catalog

    Covers SQLi-to-file-read, LFI-to-RCE, SSRF-to-cloud-metadata, SSTI-to-RCE, XXE-to-SSRF, and every other business-impact path we have reproduced in a sandbox. Inventory and chain detail is available to evaluators under NDA via the product console; product context lives at /product/platform#attack-chains.

  • A library of tuned agents

    Six capability families: passive, injection, access control, business logic, protocol, and post-exploitation. Every agent is individually versioned and audited in the release log; the product console exposes the full catalog to evaluators under NDA. Public family descriptions live at /product/platform#agents.

  • Comprehensive DOM sink coverage

    DOM XSS taint tracking observes innerHTML, outerHTML, write, setAttribute, eval, Function, jQuery.html, location sinks, and more. Sources include cookies, window.name, postMessage, URL hash, URL search, and referrer. Detail at /product/platform#dom-xss-taint.

Responsible disclosure

Researchers who report vulnerabilities in Pentrova infrastructure, the product surface, or the marketing site are welcome. Please use the contact and PGP key below, and review the machine-readable policy before reporting.

PGP key fingerprint
ABCD 1234 EFGH 5678 IJKL 9012 MNOP 3456 QRST 7890
Machine-readable policy
Our RFC 9116 disclosure document is served at /.well-known/security.txt and mirrors the contact, expiry, and policy URLs listed here.

Security FAQ

Common security and compliance questions from procurement and security teams during the evaluation process.

Frequently asked questions

  • Can I scan a domain I don’t own?
    No. Pentrova requires you to verify control of a target’s domain before any scan can run, using a DNS TXT record, file upload, or HTML meta tag. Only verified domains can be scanned; requests against unverified targets are rejected. Full terms are in the Terms of Service at /legal/terms.
  • Where is my data stored?
    Customer data is encrypted at rest and in transit. Hosting region, key management, and per-customer isolation are confirmed in writing during procurement and fixed in the order form and DPA before any engagement begins. The categories of subprocessors we use are described in our Privacy Policy at /legal/privacy, and the current named list is provided to customers under the DPA.
  • Does Pentrova hold SOC 2 or ISO 27001 certification?
    No — not yet, and we will not claim a certification we do not hold. Pentrova is a new company building against the ISO/IEC 27001:2022 control set. We will publish audit timelines and certification status on this page the moment a registrar engagement is signed. Until then, treat our posture as "compliance-ready," not certified.
  • What happens to my data after a pentest engagement ends?
    Pentest evidence and audit logs are retained for the window specified in your order form. You can request deletion at any time by contacting our privacy team, and deletion propagates through primary storage, backups, and search indices within the window committed in the DPA.
  • Can I specify data residency requirements?
    Data residency requirements can be discussed during procurement and, where supported, committed in the DPA and order form. The subprocessor categories we rely on are described in our Privacy Policy, and the current named list with locations is provided to customers under the DPA.
  • How does Pentrova handle breach notification?
    Our DPA incorporates the GDPR Article 33/34 notification obligations: in the event of a personal data breach we notify affected customers without undue delay and within the timeline committed in the DPA. Our incident-response process is documented.

Next step

Ready to see the platform behind the posture?

Book a guided walkthrough and get answers to your remaining security questions from our engineering team.

Start free Explore the platform

Site search

↑↓ navigateEnter openEsc close