Security & Compliance
Infrastructure location, encryption, sub-processors, compliance roadmap, and SDK review information for OpenBait — the details your procurement team needs.
This page is organized around the questions mid-market security and procurement teams actually ask during a vendor review. If your questionnaire asks for something not covered here, email [email protected] — we respond with DPAs, security questionnaires (CAIQ, SIG-Lite, VRA), and bridge letters on request.
Data residency
- Production: Osaka, Japan data center
- Infrastructure provider: Xserver Inc. (Tokyo Stock Exchange listed, ISMS-certified)
- Backup: Separate region within Japan
Customer data is stored and processed in Japan. No cross-border data transfers occur, with one exception: optional LLM inference via Groq API (details below).
Encryption
In transit
- All external communication is TLS 1.3 required
- Certificates via Let's Encrypt with automated renewal; HSTS preloaded (max-age 2 years)
At rest
- Database (MySQL 8.0) on disk-level encrypted volumes (LUKS)
- Secrets (API keys, OAuth tokens) encrypted with AES-256-GCM before storage
- Passwords hashed with Argon2id
Access control
- Production access via SSH key-exchange + least-privilege
- Internal dashboards require 2FA
- Customer-data access is audit-logged for 90 days
Incident notification SLA
- Incidents impacting customer data are notified to the registered security contact within 72 hours of detection
- The notification includes: scope of impact, known cause, response status, initial remediation plan
- Security contact is configurable per organization in the Console
Infrastructure
- Hosting: Xserver VPS (Osaka, Japan, Ubuntu 24.04)
- CDN / DDoS protection: Cloudflare (global)
- Queue: Redis + Asynq (on production VPS)
- Database: MySQL 8.0 (on production VPS, with replicated backup)
- Monitoring: 24/7 automated alerts with on-call rotation
Secure development lifecycle (SDL)
- Design: Threat modeling (STRIDE-based), DPA review for any new external integration
- Build: Mandatory code review, secret scanning (gitleaks, etc.)
- Test: Automated dependency vulnerability scanning, annual penetration test
- Deploy: Locked GitHub Actions pipelines, documented rollback procedures
Sub-processors
Third-party service providers OpenBait relies on. A sub-processor schedule for your DPA is available on request.
| Provider | Purpose | Data location | Notes |
|---|---|---|---|
| Xserver Inc. | Production hosting | Japan (Osaka) | TSE-listed, ISMS-certified |
| Cloudflare | CDN / DDoS / edge certificates | Global edge | ISO 27001 / SOC 2 Type II |
| Brevo (Sendinblue) | Transactional email | EU | GDPR-compliant, ISO 27001 |
| Groq | AI inference (optional) | United States | SOC 2 Type I (see section below) |
Compliance roadmap
Current status and planned certifications:
| Certification | Status | Target |
|---|---|---|
| GDPR | Compliant | — |
| APPI (Japan) | Compliant | — |
| ISMS / ISO 27001 | Will begin after 5 customer deployments | 2026 Q3 onwards |
| SOC 2 Type II | Under evaluation | 2027 or later |
| PrivacyMark (Japan) | Under evaluation | TBD |
No formal audits have completed yet, but technical controls (encryption, access control, audit logging) are operated at a level consistent with audited peers. Contact us for details on the ISMS timeline if procurement requires formal certification.
AI data processing (Groq API)
Some OpenBait features (AI case summaries, threat analysis) use Groq API for LLM inference.
- Data sent: Domain names, screenshot URLs, HTML content excerpts only
- Data NOT sent: PII, other customer asset data, admin identity information
- Retention: Groq does not persistently store input data; per their retention policy, data is deleted within 30 days
- Opt-out: AI features can be fully disabled from the Console settings
SDK review information
When deploying the OpenBait JavaScript SDK on your site, your security review typically asks:
- CSP compatibility: Supports
strict-dynamic+ nonce. No'unsafe-inline'or'unsafe-eval'required. - Subresource integrity (SRI): All bundles carry SHA-384 hashes; tampering is detectable.
- Self-hosting (Business plan and above): SDK bundle can be served from your own CDN.
- Auditable source: Non-obfuscated build + source maps available under NDA.
- Privacy: SDK does not identify individual users. It hashes referrer values for blocklist matching only.
Technical architecture detail: see the Canary + SDK deep dive.
Responsible disclosure
We welcome vulnerability reports from security researchers.
- Address: [email protected]
- Acknowledgment: Within 48 hours
- Remediation target: Critical / High severity within 7 days; Medium within 30 days
- Recognition: With reporter's consent, credit is given in release notes after remediation
Contracts, DPA, bridge letters
Email [email protected] if you need:
- DPA (Data Processing Agreement): Japanese and EU formats
- NDA: For sharing technical documentation during evaluation
- Security questionnaire: CAIQ / SIG-Lite / VRA formats all answerable
- Japanese invoice / contract templates
Last updated: 2026-04-23
This page is reviewed regularly. Material changes are communicated to existing customers via email.