Security & trust

How we keep your trust data safe

SkyQon is a security product, so we hold ourselves to the same bar we measure you against. Here is exactly how the service is built, where your data lives, and how to reach us if you find a problem.

Data residency — everything stays in the EU

SkyQon is built, hosted and operated in the European Union. The application and its database run on infrastructure in Germany; the marketing site and lead handling run on EU hosting. Your account data, scan history and evidence never leave the EU.

External-only, with no agent

SkyQon scans your domains the same way an attacker, a mailbox provider or a browser would: from the outside. We only ever read what is already publicly observable — DNS records, published certificates, TLS configuration and mail-authentication policy. There is no agent to install and no access to your internal network, so a compromise of SkyQon can never become a compromise of you.

Encryption

All traffic to the dashboard and API is served over TLS. Data is encrypted at rest, and off-host backups are encrypted before they leave the server. Tenant data is isolated at the database level so one customer can never read another's findings.

Subprocessors

We keep the list of third parties that process data on our behalf short and EU-centred:

  • Hetzner (Germany) — application and database hosting.
  • Hostinger (EU) — marketing site and lead capture.
  • Brevo (EU) — transactional and alert email.
  • Paddle — payments and Merchant of Record; card data never touches our servers.
  • Cloudflare — DNS, CDN and edge protection for our own domains.

Our privacy policy and Data Processing Addendum describe how each is used and the safeguards in place.

Access and authentication

Dashboard accounts support two-factor authentication (TOTP) and passwordless passkeys (WebAuthn), and a tenant can require 2FA for everyone. Sign-in is rate-limited and locks out after repeated failures. Administrative access to production is restricted and key-based.

Responsible disclosure

If you believe you have found a security issue in SkyQon, please tell us before disclosing it publicly. Email [email protected] with enough detail to reproduce it. We will acknowledge your report within three business days and keep you updated while we investigate. We will not pursue action against researchers who act in good faith, avoid privacy violations and data destruction, and give us reasonable time to fix the issue. Our machine-readable policy lives at /.well-known/security.txt.

Audit-ready evidence you can inspect

Frameworks like NIS2 expect you to show that certificate and cryptographic controls are working. SkyQon turns your scan history into a signed, reproducible NIS2 Article 21(2) evidence report, with an integrity hash an auditor can recompute and an honest map of what is directly evidenced, what is supporting, and what is out of scope. Rather than describe it, here is a real one generated by the product from our own infrastructure:

Download a sample NIS2 report (PDF)

What we don't claim

We would rather be precise than impressive. SkyQon is not currently SOC 2 or ISO 27001 certified, and we will not display a badge we haven't earned. What we do offer is an EU-native service, transparent engineering practices, and the same continuous checks we run for our customers, run on ourselves. If your procurement process needs specific documentation, talk to us.

See also: how the Trust Score is calculated · system status · privacy policy.