Security and trust

We're asking you to trust us with the most sensitive part of your infrastructure. Here's what we do to earn it.

Minimal-trust architecture

Vulnerability scanning runs locally on your machine - Secvalis never has access to your infrastructure. Only scan metadata (hostname, installed packages, versions, matched CVEs) is sent to the platform.

There is no agent and no background daemon - a script runs on a schedule you control, and can be disabled at any time. The API key issued to the script is scoped exclusively to submitting scan results securely.

See the full specification of the transmitted payload: What data is transmitted.

Data protection

Hosting: OVHcloud, servers located in Warsaw, Poland (EU / EEA).

Encryption: TLS 1.2+ in transit. To be transparent and honest: the database itself is not encrypted at rest. Backups, however, are encrypted (restic) before being sent and stored daily, offsite, in OVH Object Storage (S3, Poland region), with a retention policy of 7 daily, 4 weekly and 6 monthly copies, and a weekly restore test.

Customer data separation: per-account isolation (multi-tenancy).

Retention / deletion: data is deleted within 30 days of account closure; export is available at any time.

GDPR: the data controller is SYSDEVOPS.EU Jarosław Karsznia. Subprocessors: OVHcloud (hosting + backup storage, EEA) and Resend (transactional email delivery, USA - under the Data Privacy Framework / Standard Contractual Clauses).

Full details: Data Processing Agreement (DPA).

Platform security

Access: role-based access control plus per-account MFA - the account owner can enforce MFA for all users. An immutable audit log records actions and is available to the AUDITOR role.

Security testing: every feature is tested internally for vulnerabilities before release.

Responsible disclosure

Found a vulnerability in Secvalis? Write to [email protected]. We respond within 72 hours and do not pursue legal action against researchers acting in good faith.

Who we are

Secvalis is built by Jarosław Karsznia (SYSDEVOPS.EU), with over 17 years of experience in infrastructure administration and maintenance (DevOps/SysOps). The tool was born out of a real need to manage vulnerabilities across hundreds of machines without an enterprise budget.

More about me

Vulnerability data from NVD (NIST) · CISA KEV · EPSS