Skip to main content
Security

Responsible Disclosure Policy

Helping us keep Akordans secure

Effective date: 25 March 2026

Akordans takes the security of our platform and our users' data extremely seriously. We welcome reports from security researchers who discover potential vulnerabilities.

Scope

In scope:

  • akordans.com and all subdomains
  • api.akordans.com
  • The Akordans web and mobile applications
  • Our API endpoints

Out of scope:

  • Third-party services (Stripe, Resend, Anthropic)
  • Social engineering or phishing attacks
  • Physical security
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning without prior approval

What to Report

We are particularly interested in:

Vulnerability TypeExamples
Authentication issuesBroken login, session fixation, JWT vulnerabilities
Authorisation issuesAccessing other users' data, privilege escalation
Data exposureUnintended exposure of personal or dispute data
Injection attacksSQL injection, XSS, command injection
API securityInsecure endpoints, missing rate limiting, IDOR
CSRFMissing or bypassable CSRF protection

How to Report

Email: security@akordans.com

Please include in your report:

  1. A clear description of the vulnerability
  2. Step-by-step instructions to reproduce it
  3. The potential impact if exploited
  4. Any proof-of-concept code or screenshots
  5. Your suggested fix (optional but appreciated)

For sensitive reports, request our PGP key before sending.

Our Commitments to You

CommitmentTimeline
Acknowledge your reportWithin 48 hours
Provide a status updateWithin 7 days
Resolve critical vulnerabilitiesWithin 30 days
Notify you when resolvedUpon fix deployment

We commit to:

  • Not pursuing legal action against researchers acting in good faith
  • Crediting you in our security acknowledgements (if you wish)
  • Keeping you informed throughout the resolution process

Rules of Engagement

To qualify for responsible disclosure protections, you must:

  • ✅ Only test on accounts you own or have explicit permission to test
  • ✅ Stop immediately if you encounter any personal data
  • ✅ Report findings promptly and privately
  • ✅ Give us reasonable time to respond before public disclosure
  • ❌ Not access, modify, or delete other users' data
  • ❌ Not perform denial of service testing
  • ❌ Not use automated scanners without prior written approval
  • ❌ Not publicly disclose before we have resolved the issue

Security Acknowledgements

We maintain a Hall of Fame for researchers who responsibly disclose valid vulnerabilities. We do not currently offer monetary bounties but are considering a formal bug bounty programme.

Contact

Security issues: security@akordans.com General enquiries: support@akordans.com Response time: within 48 hours for security reports

Privacidad de datos

Cómo Akordans protege tus datos

Residencia de datos — solo UE

Todos los datos personales y documentos de disputa se almacenan exclusivamente en infraestructura con sede en la UE (Hetzner, Alemania). Los datos no salen de la UE excepto para inferencia de IA a través de la API de Anthropic, cubierta por Cláusulas Contractuales Estándar (CCE) y el Adéndum de Procesamiento de Datos UE de Anthropic.

Cifrado

  • En tránsito: TLS 1.3 aplicado en todos los endpoints (akordans.com y api.akordans.com)
  • En reposo: cifrado AES-256 para todos los documentos de disputa y datos personales almacenados
  • Base de datos: cifrada a nivel de capa de almacenamiento (volúmenes gestionados de Hetzner)

Retención de datos

  • Registros de cumplimiento del Reglamento IA UE: 3 años (Art. 12(1)) — modelo, versión de prompt, recuentos de tokens, resúmenes de salida
  • Documentos de disputa: 12 meses después del cierre de la disputa, luego eliminación permanente
  • Eliminación de cuenta: período de gracia de 30 días bajo RGPD Art. 17 antes de la eliminación permanente
  • Registros de pago: 7 años (requisito de la legislación fiscal de la UE, procesados y conservados por Stripe)

Sin entrenamiento de IA con tus datos

Akordans usa la API de Anthropic en modo de retención cero de datos. Tus prompts y completions no se usan para entrenar los modelos de Anthropic. Esto está garantizado contractualmente en nuestro acuerdo con Anthropic. Ver la política de uso de Anthropic para más detalles.

Procesadores externos

Anthropic (Claude IA)EE.UU. (CCE en vigor)
HetznerAlemania (UE)
StripeEE.UU. (CCE en vigor)
ResendEE.UU. (CCE en vigor)