Augur
Sign inStart free
Live demoPlatformHow it worksPricingStatusFAQSupply chainEnergy + infrastructureNewsroom OSINTAll integrationsSign inStart free

Trust + compliance

Security at Augur

We process public OSINT feeds and customer-defined watch zones. No sensitive customer data. Here is exactly how we handle what we do have.

Report a vulnerabilityPrivacy policy

Data we collect

  • Account email and (hashed) password — required for sign-in.
  • Watch zone definitions you create — coordinates, radii, polygons, severity thresholds.
  • Alert delivery destinations you configure — Slack webhook URLs, Discord webhooks, Telegram chat IDs, email addresses.
  • Stripe customer + subscription IDs (no card data — Stripe holds that).
  • Anonymous server-side request logs for 30 days (no IPs are retained beyond that window).

Encryption

  • In transit: TLS 1.3 on every public endpoint (augur.news, dashboard, API). HSTS enabled. No mixed content.
  • At rest: Postgres in EU-Central-1 (Frankfurt) with AES-256 disk encryption. Daily encrypted backups retained for 30 days.
  • API keys: only the SHA-256 hash is stored in augur_api_keys. The plaintext key is shown to you exactly once at creation; we cannot recover it.
  • Passwords: bcrypt via Supabase Auth. We never see your password.

Access control

  • Row-level security (Postgres RLS) on every customer table. Your watch zones, alerts, API keys and channels are only visible to your account.
  • Service-role keys live only on the backend (Vercel, VPS env files), never in the client bundle. CI rotates these quarterly.
  • Single admin operator (the founder). SSH access to the VPS is via ed25519 key only — password auth disabled.
  • Audit log of every administrative action against customer data is retained for 90 days.

Infrastructure

  • Frontend: Vercel (US + EU edge).
  • Postgres + auth: Supabase (Frankfurt, EU).
  • Ingest workers, AIS bridge, signal engine: Hetzner Cloud CPX22 (Falkenstein, EU).
  • Payments: Stripe — we never touch card numbers.
  • Emails: Resend (SOC2 Type II certified).

Vulnerability disclosure

Email security@augur.news with a description and reproduction steps. We acknowledge within 48 hours and aim to patch high-severity issues within 7 days. We do not run a paid bounty program at this stage, but every valid report earns a credit in the changelog and a year of Pro on us.

Compliance roadmap

  • Today: GDPR-aligned (data residency EU, deletion-on-request honoured within 30 days).
  • Q3 2026: SOC2 Type I — Drata trust-center rollout, control evidence gathering.
  • Q1 2027: SOC2 Type II.

Enterprise customers can request a current Drata trust-report snapshot under NDA via security@augur.news.

Data deletion

Delete your account from /settings. We purge your zones, channels, API keys and alert history immediately. Encrypted backups roll off within 30 days. Audit-log entries that reference your user-id are pseudonymised after 90 days.