Security at EvidnZ
EvidnZ is used to process penetration testing evidence, so the platform is designed around evidence isolation, redaction, and human control over what leaves the tool. This page summarizes the controls that are in place today. It intentionally does not describe internal defensive rules or infrastructure identifiers that would benefit an attacker.
Private evidence storage
Uploaded evidence is stored in per-account, non-public storage and is not accessible from a public URL.
Row-level tenant isolation
Reports, findings, evidence, and redactions are scoped to the owning account. Server-side authorization is enforced on protected operations.
Short-lived evidence links
Signed URLs used to preview evidence expire quickly so screenshots are not left addressable on the internet.
Redaction before export
Persistent redactions are baked into exported previews and deliverables so redacted content does not leak through the source image.
Human review of AI output
AI-generated fields are editable. Locked fields remain under tester control across regenerations. Users are responsible for reviewing all AI output before client delivery.
Account lockout and abuse controls
Repeated failed authentication attempts trigger short lockouts. Signup and password-reset endpoints are rate limited.
Security event logging
Authentication events, admin actions, and sensitive workflow events are logged for abuse detection. Hashed request identifiers are used for lockout logic rather than raw values.
Payments handled by Stripe
Card data is entered directly with Stripe. EvidnZ does not store payment card numbers or CVCs. Billing state is synchronized through Stripe webhook events.
Shared responsibility
EvidnZ provides tools to help testers store, redact, and export evidence safely. Users remain responsible for confirming they are authorized to upload client evidence, reviewing all uploaded content and generated fields, redacting sensitive information before export, and verifying deliverables prior to sending them to clients.
Responsible disclosure
If you believe you have found a security issue in EvidnZ, contact security@evidnz.app with a description of the issue and steps to reproduce. Please avoid testing against other users' data, avoid actions that would degrade the service, and give the team a reasonable window to respond before any public disclosure. EvidnZ does not currently operate a paid bug bounty.
What EvidnZ does not claim
EvidnZ does not claim to be free of vulnerabilities, immune to compromise, or a substitute for a client-approved security review process. Every export should be reviewed by a qualified tester before delivery.