Privacy Policy

The following data is collected to operate accounts:

• Email address used to sign up. Used for authentication, account recovery via single-use codes, and operational notices.
• Argon2id-hashed password. The plaintext is never stored.
• Display name (optional). Defaults to the email's local part when not supplied.
• TOTP-based MFA secret, when MFA is enabled. Stored on the user row; never transmitted after the setup flow.
• sha256-hashed single-use recovery codes for password reset. Only the hashes are stored; raw codes are shown once at signup and cannot be recovered.
• Session metadata: sha256-hashed session token, creation time, last activity time, user agent, originating IP hash. Sessions are revocable by the user from the account page.

Operators create engagements; each engagement carries metadata about the test (client name, scope rules, authorization tier, signed Rules of Engagement document hash, member list). This data is visible only to members of the engagement's workspace.

When operators dispatch a scan against an authorized target, Verilax stores the resulting assets (e.g. discovered hostnames, IP addresses, HTTP fingerprints) and findings (e.g. exposed paths, weak TLS, confirmed CVEs). Targets are constrained to the engagement's authorized-scope list; out-of-scope dispatch is refused at the route layer.

Where modules emit credential material (for example, the offline hash cracker), the resulting plaintext is recorded only in the finding evidence object scoped to the engagement's members. Audit-log rows do NOT carry plaintext credentials.

Verilax maintains an append-only, hash-chained audit log of compliance-sensitive actions: signup, sign-in, scope changes, module dispatch, kill-switch use, admin grants, ROE uploads, policy acceptances, and similar events. Audit data is visible to the workspace owner and to admins.

Audit-log rows omit plaintext passwords, tokens, API keys, private keys, session cookies, and exploit-payload secrets.

Verilax does not currently emit product telemetry beyond operational logs needed to diagnose service incidents. If telemetry is introduced in the future, it will be disclosed prior to activation and made opt-out where reasonably possible.

Account data is retained for the lifetime of the account. Workspace and engagement data is retained until the operator deletes the workspace; workspace deletion cascades to engagements, scope rules, findings, assets, members, invitations, and webhook configurations, and revokes every member session.

Audit-log rows are preserved beyond engagement deletion to maintain the integrity of the hash chain for any prior period during which the engagement existed. Audit rows do not contain customer deliverable content; they contain event metadata.

Verilax uses Argon2id (OWASP 2024 parameters) for password hashing, sha256 for session-token and recovery-code storage, TLS for all network traffic, SameSite=Lax + HttpOnly + Secure cookie flags for sessions, per-IP rate limiting on anonymous endpoints, and a workspace-tenancy filter on every list and search query so workspaces cannot read each other's data.

Operators may request a copy of their workspace's data or its deletion by contacting Verilax through the channel listed at the bottom of this page. Workspace owners may also delete a workspace themselves via the workspace settings page; this action cannot be undone.

Operators are responsible for minimizing or redacting sensitive customer material when uploading Rules of Engagement, evidence artifacts, or scan results that contain third-party PII.

Verilax is not intended for use by individuals under 18. Verilax does not knowingly collect personal information from children.

Verilax may update this Privacy Policy from time to time. Material changes will be announced with reasonable advance notice. Continued use of Verilax after a change takes effect constitutes acceptance of the updated Privacy Policy.

Privacy questions, data-export requests, and deletion requests may be sent to the operator address listed on the marketing site. Contact details will be finalized at launch.