Responsible Disclosure Policy
Helping us keep Akordans secure
Effective date: 25 March 2026
Akordans takes the security of our platform and our users' data extremely seriously. We welcome reports from security researchers who discover potential vulnerabilities.
Scope
In scope:
- akordans.com and all subdomains
- api.akordans.com
- The Akordans web and mobile applications
- Our API endpoints
Out of scope:
- Third-party services (Stripe, Resend, Anthropic)
- Social engineering or phishing attacks
- Physical security
- Denial of service (DoS/DDoS) attacks
- Automated scanning without prior approval
What to Report
We are particularly interested in:
| Vulnerability Type | Examples |
|---|---|
| Authentication issues | Broken login, session fixation, JWT vulnerabilities |
| Authorisation issues | Accessing other users' data, privilege escalation |
| Data exposure | Unintended exposure of personal or dispute data |
| Injection attacks | SQL injection, XSS, command injection |
| API security | Insecure endpoints, missing rate limiting, IDOR |
| CSRF | Missing or bypassable CSRF protection |
How to Report
Email: security@akordans.com
Please include in your report:
- A clear description of the vulnerability
- Step-by-step instructions to reproduce it
- The potential impact if exploited
- Any proof-of-concept code or screenshots
- Your suggested fix (optional but appreciated)
For sensitive reports, request our PGP key before sending.
Our Commitments to You
| Commitment | Timeline |
|---|---|
| Acknowledge your report | Within 48 hours |
| Provide a status update | Within 7 days |
| Resolve critical vulnerabilities | Within 30 days |
| Notify you when resolved | Upon fix deployment |
We commit to:
- Not pursuing legal action against researchers acting in good faith
- Crediting you in our security acknowledgements (if you wish)
- Keeping you informed throughout the resolution process
Rules of Engagement
To qualify for responsible disclosure protections, you must:
- ✅ Only test on accounts you own or have explicit permission to test
- ✅ Stop immediately if you encounter any personal data
- ✅ Report findings promptly and privately
- ✅ Give us reasonable time to respond before public disclosure
- ❌ Not access, modify, or delete other users' data
- ❌ Not perform denial of service testing
- ❌ Not use automated scanners without prior written approval
- ❌ Not publicly disclose before we have resolved the issue
Security Acknowledgements
We maintain a Hall of Fame for researchers who responsibly disclose valid vulnerabilities. We do not currently offer monetary bounties but are considering a formal bug bounty programme.
Contact
Security issues: security@akordans.com General enquiries: support@akordans.com Response time: within 48 hours for security reports
Cómo Akordans protege tus datos
Residencia de datos — solo UE
Todos los datos personales y documentos de disputa se almacenan exclusivamente en infraestructura con sede en la UE (Hetzner, Alemania). Los datos no salen de la UE excepto para inferencia de IA a través de la API de Anthropic, cubierta por Cláusulas Contractuales Estándar (CCE) y el Adéndum de Procesamiento de Datos UE de Anthropic.
Cifrado
- En tránsito: TLS 1.3 aplicado en todos los endpoints (akordans.com y api.akordans.com)
- En reposo: cifrado AES-256 para todos los documentos de disputa y datos personales almacenados
- Base de datos: cifrada a nivel de capa de almacenamiento (volúmenes gestionados de Hetzner)
Retención de datos
- Registros de cumplimiento del Reglamento IA UE: 3 años (Art. 12(1)) — modelo, versión de prompt, recuentos de tokens, resúmenes de salida
- Documentos de disputa: 12 meses después del cierre de la disputa, luego eliminación permanente
- Eliminación de cuenta: período de gracia de 30 días bajo RGPD Art. 17 antes de la eliminación permanente
- Registros de pago: 7 años (requisito de la legislación fiscal de la UE, procesados y conservados por Stripe)
Sin entrenamiento de IA con tus datos
Akordans usa la API de Anthropic en modo de retención cero de datos. Tus prompts y completions no se usan para entrenar los modelos de Anthropic. Esto está garantizado contractualmente en nuestro acuerdo con Anthropic. Ver la política de uso de Anthropic para más detalles.
Procesadores externos
| Anthropic (Claude IA) | EE.UU. (CCE en vigor) |
| Hetzner | Alemania (UE) |
| Stripe | EE.UU. (CCE en vigor) |
| Resend | EE.UU. (CCE en vigor) |