Trust Center

Privacy

Auditing a site means capturing its pages. The evidence that makes a finding trustworthy is also the evidence that has to be handled carefully.

Verassa evidence protocol

Evidence
01
Screenshot, DOM, replay, and axe baseline captured before decisions.
Judgment
02
Reviewer route, rationale, and owner stay attached to lower-confidence work.
Verification
03
Re-scan records and disclaimers travel with reportable outputs.

Redaction

Evidence is redacted by default

Screenshots, DOM snapshots, recordings, and transcripts can contain personal information that happened to be on the page. The evidence pipeline redacts personal information before evidence is displayed or exported.

Redaction is the default and is not skippable. A sensitive-scan mode increases the redaction applied. Where a finding's evidence is redacted, the report says so, so a reviewer understands the chain-of-custody implication.

Retention and deletion

Kept as long as it is useful, deleted on request

Evidence is retained for a defined window so a finding stays inspectable and a scan stays reproducible. Retention windows are part of the plan and are documented, not indefinite by default.

Customer data can be deleted on request. Deletion covers evidence and scan artifacts; the append-only audit log retains the record that data existed and was removed, which is what an audit trail is for.

Residency

Where data is stored

Standard deployments run on managed infrastructure with defined regions. Enterprise customers with data-residency requirements can discuss region and routing options, including in-tenant and self-hosted model routing for sensitive data classes.

Whatever the arrangement, every scan report includes a provenance section stating what data was processed where.

Back to the Trust Center