Responsible Disclosure Policy
Helping us keep Akordans secure
Effective date: 25 March 2026
Akordans takes the security of our platform and our users' data extremely seriously. We welcome reports from security researchers who discover potential vulnerabilities.
Scope
In scope:
- akordans.com and all subdomains
- api.akordans.com
- The Akordans web and mobile applications
- Our API endpoints
Out of scope:
- Third-party services (Stripe, Resend, Anthropic)
- Social engineering or phishing attacks
- Physical security
- Denial of service (DoS/DDoS) attacks
- Automated scanning without prior approval
What to Report
We are particularly interested in:
| Vulnerability Type | Examples |
|---|---|
| Authentication issues | Broken login, session fixation, JWT vulnerabilities |
| Authorisation issues | Accessing other users' data, privilege escalation |
| Data exposure | Unintended exposure of personal or dispute data |
| Injection attacks | SQL injection, XSS, command injection |
| API security | Insecure endpoints, missing rate limiting, IDOR |
| CSRF | Missing or bypassable CSRF protection |
How to Report
Email: security@akordans.com
Please include in your report:
- A clear description of the vulnerability
- Step-by-step instructions to reproduce it
- The potential impact if exploited
- Any proof-of-concept code or screenshots
- Your suggested fix (optional but appreciated)
For sensitive reports, request our PGP key before sending.
Our Commitments to You
| Commitment | Timeline |
|---|---|
| Acknowledge your report | Within 48 hours |
| Provide a status update | Within 7 days |
| Resolve critical vulnerabilities | Within 30 days |
| Notify you when resolved | Upon fix deployment |
We commit to:
- Not pursuing legal action against researchers acting in good faith
- Crediting you in our security acknowledgements (if you wish)
- Keeping you informed throughout the resolution process
Rules of Engagement
To qualify for responsible disclosure protections, you must:
- ✅ Only test on accounts you own or have explicit permission to test
- ✅ Stop immediately if you encounter any personal data
- ✅ Report findings promptly and privately
- ✅ Give us reasonable time to respond before public disclosure
- ❌ Not access, modify, or delete other users' data
- ❌ Not perform denial of service testing
- ❌ Not use automated scanners without prior written approval
- ❌ Not publicly disclose before we have resolved the issue
Security Acknowledgements
We maintain a Hall of Fame for researchers who responsibly disclose valid vulnerabilities. We do not currently offer monetary bounties but are considering a formal bug bounty programme.
Contact
Security issues: security@akordans.com General enquiries: support@akordans.com Response time: within 48 hours for security reports
Wie Akordans Ihre Daten schützt
Datenspeicherort — nur EU
Alle personenbezogenen Daten und Streitdokumente werden ausschließlich auf EU-Infrastruktur gespeichert (Hetzner, Deutschland). Daten verlassen die EU nicht, außer für KI-Inferenz über die Anthropic-API, die durch Standardvertragsklauseln (SCC) und das EU-Datenverarbeitungs-Addendum von Anthropic abgedeckt ist.
Verschlüsselung
- Im Transit: TLS 1.3 an allen Endpunkten erzwungen (akordans.com und api.akordans.com)
- Im Ruhezustand: AES-256-Verschlüsselung für alle gespeicherten Streitdokumente und personenbezogenen Daten
- Datenbank: auf Speicherebene verschlüsselt (verwaltete Hetzner-Volumes)
Datenspeicherfristen
- EU-KI-Verordnung-Compliance-Protokolle: 3 Jahre (Art. 12(1)) — Modell, Prompt-Version, Token-Anzahl, Ausgabezusammenfassungen
- Streitdokumente: 12 Monate nach Abschluss des Streitfalls, dann endgültig gelöscht
- Kontolöschung: 30-tägige Kulanzfrist gemäß DSGVO Art. 17 vor endgültiger Löschung
- Zahlungsunterlagen: 7 Jahre (EU-Steuerrechtsanforderung, von Stripe verarbeitet und aufbewahrt)
Keine KI-Training mit Ihren Daten
Akordans verwendet die Anthropic-API im Zero-Data-Retention-Modus. Ihre Prompts und Antworten werden nicht verwendet, um Anthropics Modelle zu trainieren. Dies ist vertraglich in unserer Vereinbarung mit Anthropic garantiert. Weitere Informationen finden Sie in Anthropics Nutzungsrichtlinie .
Drittanbieter-Auftragsverarbeiter
| Anthropic (Claude KI) | USA (SCC in Kraft) |
| Hetzner | Deutschland (EU) |
| Stripe | USA (SCC in Kraft) |
| Resend | USA (SCC in Kraft) |