Security & Trust

We build vulnerability intelligence for security teams, so we hold ourselves to the standard we'd expect from any tool we'd put in our own stack. Here's how we protect your data and work with the research community.

Our security posture

Encryption everywhere

All traffic is served over TLS, and data is encrypted at rest. Credentials are never stored in plaintext.

Least-privilege access

Access to production systems and customer data is restricted to the people who need it, and is scoped to the minimum required to do the job.

Authentication & sessions

Accounts are protected with modern authentication, short-lived signed sessions, and CSRF protection on every state-changing request.

Defense in depth

Rate limiting, bot mitigation, input validation, and row-level access controls layer together so a single failure doesn't expose your data.

Data protection & privacy

We collect only what we need to deliver the product, and we do not sell or share your personal information. Most of the intelligence we surface — CVEs, CWE/CAPEC references, CISA KEV, EPSS — is drawn from public security data sources; the data tied to your account stays private to you.

For full detail on what we collect and how it's handled, see our Privacy Policy and Terms of Service. Enterprise customers can request additional documentation, including our sub-processor list, under NDA.

Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability in our platform, please let us know and give us a reasonable amount of time to investigate and remediate before any public disclosure.

How to report

Email security@radicalnotion.ai with steps to reproduce and any relevant proof of concept.
Machine-readable contact details are published at /.well-known/security.txt (RFC 9116).

Please do

Report promptly and in good faith.
Give us time to remediate before disclosing publicly.
Use a test account where possible and avoid real user data.

Please don't

Access, modify, or exfiltrate data that isn't yours.
Run denial-of-service tests or automated scanning that degrades service.
Use social engineering or physical attacks against our staff.

We won't pursue legal action against researchers who act in good faith and follow this policy. We're a small team and read every report — thank you for helping keep our users safe.

Questions about security?

Evaluating us for your team and need more detail on our controls, data handling, or compliance posture? We're happy to help.