Security & Privacy ✓ EU AI Act Compliant ✓ GDPR Compliant

At Stack of Truths, I take security seriously — not just for my clients, but for their customers too. This page explains how I protect your data, maintain confidentiality, and ensure every report is verifiably authentic. Based in The Netherlands 🇳🇱

📄 Report Security — Complete

Every client receives a tamper-proof, verifiable report package. No one can fabricate a Stack of Truths report — the GPG signature and hash verification make it mathematically provable.

🔑 How clients verify authenticity:

✅ Compliance & Assurance

Authenticity	GPG signature — proves report came from Stack of Truths
Integrity	SHA-256 hash — proves report wasn’t modified
Non-repudiation	GPG key tied to Stack of Truths identity
Watermark	Diagonal “STACK OF TRUTHS CONFIDENTIAL” on every PDF page
Verification	Public API endpoint + public key download

📋 Data Encryption at Rest

All client booking information, target domains, and audit data are encrypted immediately upon submission using:

• AES-256-CBC — Military-grade encryption algorithm
• PBKDF2 — Key derivation with 100,000 iterations
• Unique passphrase — Stored with 600 permissions (owner-only access)

🔒 Confidentiality & Non-Disclosure

Every client engagement is protected by a strict confidentiality agreement. I do not share findings, reports, or client identities without explicit written permission.

If you require a signed NDA before discussing your project, just ask — I provide one for every engagement.

🛡️ Secure Pentesting Environment

All security assessments are performed on a dedicated, isolated pentest laptop:

• No cross-contamination with production systems
• Air-gapped where required
• Tailscale VPN for secure remote access
• UFW firewall with strict port rules
• SSH with 2FA (Google Authenticator)

📁 Data Retention & Deletion

Client data is retained only as long as necessary:

You may request deletion of your data at any time. I will confirm deletion within 72 hours.

🔐 Infrastructure Security

Your data resides on a VPS with the following protections:

• ✅ Daily automated backups
• ✅ Firewall (UFW) with minimal open ports (22, 80, 443, 8081, 8090)
• ✅ Tailscale mesh VPN for authorized access only
• ✅ SSH key + 2FA authentication
• ✅ Regular security updates and patching

📧 What Information We Collect

When you book a pentest, we collect:

• Your name, email, and company (for engagement purposes)
• Target domains or IP addresses (for testing)
• Digital signature authorization (for legal compliance)
• Payment information (processed securely via Stripe — we never store your card details)

🔓 Your Rights (GDPR & EU AI Act)

Under GDPR (Regulation (EU) 2016/679) and the EU AI Act, you have the right to:

• Access — Request a copy of your data
• Correct — Update inaccurate information
• Delete — Request removal of your data (right to be forgotten)
• Portability — Receive your data in a structured format
• Object — Object to processing of your data
• Human review — Request human oversight of AI-based decisions

For privacy requests, DM @StackOfTruths on X or email pedrojose@stackoftruths.com. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

📞 Contact Us

If you have any security concerns or privacy questions:

• 🐦 X (Twitter): @StackOfTruths
• 📧 Email: pedrojose@stackoftruths.com
• 📍 Address: Keurenplein 41, 1069CD Amsterdam, Netherlands

---

🦞 Stack of Truths — Website & AI Penetration Testing for Small Entrepreneurs
KVK 94992266 · Registered in Amsterdam, Netherlands · EU AI Act Compliant