Security posture
Esrok is built around data minimization. We store only what is needed to operate customer accounts, verify monitored emails, send alerts, enforce billing, and show breach history.
Current controls
- Passwordless magic-link login.
- Email verification before monitoring starts.
- Plan limits enforced by the backend.
- Positive-match-only breach storage.
- Stripe-hosted checkout and billing portal.
- Owner monitoring for failed emails, failed checks, provider rate limits, cron health, and Stripe webhook activity.
Breach data handling
Esrok does not store raw breach dumps or passwords from breach sources. When a verified monitored email matches a known breach, Esrok stores the breach name, provider metadata, data categories, and timestamps needed to alert the customer and show history.
Reporting vulnerabilities
Email michael@esrok.com with details so we can investigate and respond. Do not publicly disclose issues before we have time to investigate.
Incident response
We prioritize rapid investigation, clear communication, and corrective actions for any issue that impacts trust.
Secure development
We follow secure development practices, review changes carefully, and aim to reduce risk through testing and validation.
Access controls
Access to operational systems is limited to authorized personnel and reviewed as the team grows.
User safety basics
- Use unique, hard-to-guess passwords.
- Enable multi-factor authentication where available.
- Keep software and browsers up to date.