Security & Compliance

Infrastructure location, encryption, sub-processors, compliance roadmap, and SDK review information for OpenBait — the details your procurement team needs.

This page is organized around the questions mid-market security and procurement teams actually ask during a vendor review. If your questionnaire asks for something not covered here, email [email protected] — we respond with DPAs, security questionnaires (CAIQ, SIG-Lite, VRA), and bridge letters on request.

Data residency

  • Production: Osaka, Japan data center
  • Infrastructure provider: Xserver Inc. (Tokyo Stock Exchange listed, ISMS-certified)
  • Backup: Separate region within Japan

Customer data is stored and processed in Japan. No cross-border data transfers occur, with one exception: optional LLM inference via Groq API (details below).

Encryption

In transit

  • All external communication is TLS 1.3 required
  • Certificates via Let's Encrypt with automated renewal; HSTS preloaded (max-age 2 years)

At rest

  • Database (MySQL 8.0) on disk-level encrypted volumes (LUKS)
  • Secrets (API keys, OAuth tokens) encrypted with AES-256-GCM before storage
  • Passwords hashed with Argon2id

Access control

  • Production access via SSH key-exchange + least-privilege
  • Internal dashboards require 2FA
  • Customer-data access is audit-logged for 90 days

Incident notification SLA

  • Incidents impacting customer data are notified to the registered security contact within 72 hours of detection
  • The notification includes: scope of impact, known cause, response status, initial remediation plan
  • Security contact is configurable per organization in the Console

Infrastructure

  • Hosting: Xserver VPS (Osaka, Japan, Ubuntu 24.04)
  • CDN / DDoS protection: Cloudflare (global)
  • Queue: Redis + Asynq (on production VPS)
  • Database: MySQL 8.0 (on production VPS, with replicated backup)
  • Monitoring: 24/7 automated alerts with on-call rotation

Secure development lifecycle (SDL)

  • Design: Threat modeling (STRIDE-based), DPA review for any new external integration
  • Build: Mandatory code review, secret scanning (gitleaks, etc.)
  • Test: Automated dependency vulnerability scanning, annual penetration test
  • Deploy: Locked GitHub Actions pipelines, documented rollback procedures

Sub-processors

Third-party service providers OpenBait relies on. A sub-processor schedule for your DPA is available on request.

ProviderPurposeData locationNotes
Xserver Inc.Production hostingJapan (Osaka)TSE-listed, ISMS-certified
CloudflareCDN / DDoS / edge certificatesGlobal edgeISO 27001 / SOC 2 Type II
Brevo (Sendinblue)Transactional emailEUGDPR-compliant, ISO 27001
GroqAI inference (optional)United StatesSOC 2 Type I (see section below)

Compliance roadmap

Current status and planned certifications:

CertificationStatusTarget
GDPRCompliant
APPI (Japan)Compliant
ISMS / ISO 27001Will begin after 5 customer deployments2026 Q3 onwards
SOC 2 Type IIUnder evaluation2027 or later
PrivacyMark (Japan)Under evaluationTBD

No formal audits have completed yet, but technical controls (encryption, access control, audit logging) are operated at a level consistent with audited peers. Contact us for details on the ISMS timeline if procurement requires formal certification.

AI data processing (Groq API)

Some OpenBait features (AI case summaries, threat analysis) use Groq API for LLM inference.

  • Data sent: Domain names, screenshot URLs, HTML content excerpts only
  • Data NOT sent: PII, other customer asset data, admin identity information
  • Retention: Groq does not persistently store input data; per their retention policy, data is deleted within 30 days
  • Opt-out: AI features can be fully disabled from the Console settings

SDK review information

When deploying the OpenBait JavaScript SDK on your site, your security review typically asks:

  • CSP compatibility: Supports strict-dynamic + nonce. No 'unsafe-inline' or 'unsafe-eval' required.
  • Subresource integrity (SRI): All bundles carry SHA-384 hashes; tampering is detectable.
  • Self-hosting (Business plan and above): SDK bundle can be served from your own CDN.
  • Auditable source: Non-obfuscated build + source maps available under NDA.
  • Privacy: SDK does not identify individual users. It hashes referrer values for blocklist matching only.

Technical architecture detail: see the Canary + SDK deep dive.

Responsible disclosure

We welcome vulnerability reports from security researchers.

  • Address: [email protected]
  • Acknowledgment: Within 48 hours
  • Remediation target: Critical / High severity within 7 days; Medium within 30 days
  • Recognition: With reporter's consent, credit is given in release notes after remediation

Contracts, DPA, bridge letters

Email [email protected] if you need:

  • DPA (Data Processing Agreement): Japanese and EU formats
  • NDA: For sharing technical documentation during evaluation
  • Security questionnaire: CAIQ / SIG-Lite / VRA formats all answerable
  • Japanese invoice / contract templates

Last updated: 2026-04-23

This page is reviewed regularly. Material changes are communicated to existing customers via email.

Security & Compliance | OpenBait