Security Policy
Last updated: 14 June 2026
SUNURA provides operational software for AI disclosure workflows, proof capture, evidence records, public verification pages, evidence exports, scanner workflows, API automation, widgets, integrations, and related compliance-operation services.
This page summarizes SUNURA’s public security posture for customers, reviewers, procurement teams, legal reviewers, privacy reviewers, security reviewers, and auditors.
SUNURA applies technical and organizational measures designed to protect customer accounts, workspaces, evidence records, public verification pages, exports, API activity, and related service data against unauthorized access, misuse, alteration, loss, and disclosure.
SUNURA is not a law firm and does not provide legal advice, legal representation, regulatory certification, audit certification, conformity assessment, security certification, or a guarantee that any customer is compliant with applicable law.
1. Security principles
SUNURA’s security approach is based on the following principles:
- Least-privilege access
- Access to systems, workspaces, records, administrative functions, and customer data is restricted to authorized users, roles, services, and personnel with a legitimate need.
- Workspace separation
- Customer accounts, workspaces, records, configurations, evidence records, exports, API activity, and verification data are logically separated by account and workspace.
- Secure transmission
- Production browser and API traffic uses HTTPS/TLS to protect data in transit.
- Evidence integrity
- Evidence records may include proof identifiers, timestamps, rendered-notice hashes, record hashes, version identifiers, surface references, export metadata, and related integrity controls.
- Operational logging
- Security-relevant, account-relevant, API-relevant, evidence-relevant, and administrative activity is logged where appropriate for security, abuse prevention, auditability, and incident investigation.
- Data minimization
- SUNURA is designed to avoid unnecessary exposure of customer data in public verification pages, exports, logs, screenshots, DOM captures, scanner inputs, support records, and operational metadata.
- Customer-controlled configuration
- Customers remain responsible for configuring workspaces, users, API keys, deployment snippets, scanner inputs, evidence-capture settings, public verification pages, export settings, retention settings, and disclosure workflows lawfully and securely.
2. Access control
SUNURA uses access controls designed to restrict access to customer accounts, workspaces, dashboards, evidence records, exports, API functions, administrative functions, and support workflows.
Access controls may include:
- authenticated sessions;
- user roles and permissions;
- workspace-aware authorization;
- administrator access controls;
- API-key controls;
- service-account restrictions;
- least-privilege personnel access;
- access logging for sensitive actions;
- revocation of access when no longer required.
- Customers are responsible for managing their own authorized users, account administrators, passwords, API keys, deployment snippets, integrations, client workspaces, and connected systems.
3. Authentication and account security
SUNURA account access requires authenticated user access.
Customers must protect login credentials, passwords, API keys, access tokens, deployment snippets, integration credentials, administrator accounts, and connected systems.
Customers must promptly report suspected unauthorized access, account compromise, exposed API keys, leaked credentials, suspicious activity, or misuse involving their account, workspace, API activity, integrations, or deployment snippets.
SUNURA may restrict, suspend, rotate, revoke, or disable access credentials, API keys, sessions, integrations, public verification pages, or workspace functions where reasonably necessary to protect the Services, customers, third parties, or SUNURA systems.
4. Workspace and tenant separation
SUNURA uses logical separation controls designed to keep customer records, workspaces, users, configurations, evidence records, exports, proof captures, API events, public verification records, and billing-relevant records separated by customer account and workspace.
Workspace-aware authorization is used to restrict access to customer-specific records and functions.
Customers using SUNURA for clients, agencies, managed services, or multi-workspace operations are responsible for assigning the correct users, roles, client workspaces, permissions, export access, and public verification settings.
5. Encryption and transmission security
Production browser and API traffic uses HTTPS/TLS.
SUNURA applies encryption or equivalent protective controls for sensitive production environments where appropriate to the nature of the service, the applicable plan, the deployment model, and the customer agreement.
Customers are responsible for securing their own browsers, devices, networks, websites, applications, CMS installations, API clients, deployment environments, and third-party systems connected to SUNURA.
6. Evidence integrity controls
SUNURA evidence records are designed to document operational events, including disclosure creation, notice rendering, proof capture, scanner checks, verification events, API events, export generation, and public verification status.
Evidence records may include:
- proof identifiers;
- timestamps;
- workspace identifiers;
- disclosure versions;
- notice text or notice references;
- surface references;
- rendered-notice hashes;
- record hashes;
- DOM or screenshot proof where configured;
- export metadata;
- verification metadata;
- API event metadata.
- Evidence records document operational proof. They do not certify legal compliance, regulatory approval, legal sufficiency, audit approval, or conformity with any legal obligation.
- Customers must not falsify, backdate, manipulate, conceal, misrepresent, or misuse SUNURA evidence records, verification pages, proof identifiers, exports, scanner outputs, screenshots, hashes, or reports.
7. Public verification page security
SUNURA public verification pages are designed to display limited verification information for selected evidence records.
Public verification pages may show information such as proof identifiers, verification status, timestamps, disclosure type, notice version, hash values, surface labels, or other selected metadata.
Public verification pages should not be used to expose confidential information, excessive personal data, secrets, private keys, credentials, sensitive business data, or unnecessary technical details.
Customers are responsible for deciding whether a public verification page should be enabled, shared, embedded, published, restricted, disabled, or removed.
SUNURA may remove, disable, restrict, or suspend public verification pages that appear unlawful, misleading, abusive, insecure, privacy-invasive, excessive, or inconsistent with the Agreement.
8. Scanner, widget, API, and integration security
SUNURA scanner, widget, API, render-proof, gate-check, proof-capture, deployment-check, and integration features are designed for authorized customer environments.
Customers may use these features only for websites, applications, systems, content surfaces, domains, client environments, and deployment environments that they are authorized to test, manage, monitor, or operate.
SUNURA may apply technical controls such as authentication, API keys, rate limits, logging, verification checks, abuse monitoring, plan limits, usage limits, and access restrictions.
Customers must not use scanner, widget, API, or automation features for unauthorized testing, unauthorized scanning, scraping, surveillance, credential collection, denial-of-service activity, evasion, abuse, or misleading evidence generation.
9. Logging and monitoring
SUNURA records operational events where appropriate to support security, service reliability, abuse prevention, troubleshooting, billing-relevant activity, evidence integrity, export activity, and incident investigation.
Logs may include:
- authentication events;
- workspace events;
- role and permission events;
- API activity;
- proof-capture events;
- scanner events;
- public verification events;
- export events;
- billing-relevant events;
- sensitive administrative actions;
- security events;
- error and performance events.
- Log retention, access, content, and availability may vary by service function, customer plan, legal obligation, security requirement, and production configuration.
- SUNURA limits access to logs to authorized personnel and systems with a legitimate operational, security, support, legal, or compliance need.
10. Backups and recovery
SUNURA maintains backup and recovery practices appropriate to the production service, customer plan, deployment model, and applicable agreement.
Backup and recovery controls are designed to support service continuity, restoration of availability, incident response, and protection against accidental or unlawful loss.
Backup-retention periods, recovery objectives, recovery procedures, export availability, and deletion timelines may vary by plan, deployment model, customer configuration, and legal requirement.
Customers are responsible for exporting records they need to retain before cancellation, downgrade, expiry, termination, or deletion.
11. Vulnerability management
SUNURA applies vulnerability-management practices designed to identify, assess, prioritise, and remediate security issues affecting the Services.
SUNURA may use internal review, dependency review, security testing, code review, configuration review, monitoring, third-party reports, responsible-disclosure reports, and other reasonable measures to improve service security.
Customers must not perform penetration tests, vulnerability scans, automated security testing, load testing, scraping, or aggressive probing of SUNURA systems without prior written authorization.
Security concerns may be reported through the security contact listed below.
12. Incident response
SUNURA maintains an incident-response process for suspected or confirmed security incidents.
Security incidents are triaged, contained, investigated, remediated, and reviewed according to their nature, severity, scope, and customer impact.
Where a personal-data breach affects customer personal data processed by SUNURA as processor, SUNURA notifies the affected customer in accordance with the Data Processing Addendum and applicable law.
Where SUNURA acts as controller, SUNURA handles breach assessment and notification obligations in accordance with applicable law.
SUNURA’s incident notifications do not constitute an admission of fault or liability.
13. Personnel and confidentiality
Personnel with access to SUNURA systems, customer data, support records, operational logs, or administrative tooling are subject to confidentiality obligations.
Access to customer data and production systems is limited to personnel and service providers with a legitimate need for providing, maintaining, securing, supporting, improving, or administering the Services.
Personnel access is reviewed, restricted, and revoked where appropriate.
14. Subprocessors and hosting security
SUNURA uses subprocessors and service providers to support hosting, infrastructure, storage, payment processing, email delivery, security, logging, support, analytics, or other operational functions where required for the Services.
Subprocessors that process customer personal data are subject to written data-protection and security obligations appropriate to their role.
SUNURA maintains public subprocessor information through the Subprocessors page.
For security reasons, SUNURA does not publish server names, IP addresses, database names, firewall rules, internal network topology, private keys, credentials, detailed security configurations, or sensitive infrastructure diagrams on public pages.
15. Data location and international transfers
SUNURA documents data-location and international-transfer information through its Privacy Notice, Data Processing Addendum, Subprocessors page, customer agreement, or applicable deployment documentation.
Where customer personal data is transferred outside the European Economic Area, SUNURA uses an applicable transfer mechanism, such as an adequacy decision, the European Commission Standard Contractual Clauses, or another lawful safeguard where required.
Data-location commitments may vary by plan, deployment model, customer configuration, and written agreement.
16. Customer security responsibilities
Customers are responsible for securely configuring and using the Services.
Customer responsibilities include:
- managing authorized users and roles;
- protecting passwords and credentials;
- protecting API keys and access tokens;
- protecting deployment snippets and integrations;
- configuring scanner and proof-capture workflows lawfully;
- reviewing public verification pages before publication;
- reviewing evidence exports before sharing;
- avoiding unnecessary personal data in URLs, screenshots, DOM captures, logs, scanner inputs, support messages, and API payloads;
- removing users who no longer require access;
- securing customer websites, applications, CMS platforms, AI systems, browsers, devices, and networks;
- reporting suspected misuse, compromise, or vulnerabilities promptly.
SUNURA is not responsible for insecurity caused by customer systems, customer misconfiguration, unauthorized sharing of credentials, exposed API keys, unlawful scanning, excessive data capture, third-party systems, or misuse of exports and public verification pages.
17. Enterprise and advanced security options
Certain security, assurance, and enterprise controls are available only under applicable plans, order forms, customer agreements, or separately configured deployments.
These may include:
- single sign-on;
- advanced role-based access controls;
- custom data-residency commitments;
- dedicated hosting;
- custom retention commitments;
- custom backup or recovery commitments;
- custom security questionnaires;
- security addenda;
- custom DPA terms;
- service-level commitments;
- enterprise support;
- KMS/HSM arrangements;
- trusted signing workflows;
- C2PA-related workflows;
- penetration-test summaries where available;
- architecture summaries under confidentiality.
- SUNURA does not claim that such controls are included unless they are expressly stated in the applicable plan, order form, customer agreement, or written commitment.
18. Certifications and external assurance
SUNURA does not represent that it holds ISO 27001, SOC 2, CSA STAR, Cyber Essentials, PCI DSS, C2PA trust-list status, qualified trust service status, or any other external security certification unless such certification is expressly published by SUNURA or stated in a signed customer agreement.
Security questionnaires, security summaries, audit summaries, architecture summaries, penetration-test summaries, and similar materials may be provided where available and commercially reasonable, subject to confidentiality and security restrictions.
19. Responsible disclosure
SUNURA welcomes responsible reporting of security concerns.
Reports should be sent to:
SUNURA Security
Email: [email protected]
Reports should include enough information to reproduce or understand the issue, such as affected URL, account context, proof identifier, API endpoint, browser details, screenshot, timestamp, request information, or a clear description of the suspected vulnerability.
Reporters must not access, modify, delete, exfiltrate, disrupt, or disclose customer data or SUNURA data.
Reporters must not perform destructive testing, denial-of-service testing, social engineering, phishing, physical attacks, malware deployment, persistence testing, credential theft, unauthorized scanning, or testing against third-party systems.
20. Important boundary
SUNURA provides software for disclosure workflows, evidence records, proof capture, public verification pages, scanner workflows, API automation, and evidence exports.
SUNURA does not provide legal advice, regulatory advice, legal representation, legal certification, regulatory certification, audit certification, security certification, conformity assessment, or a guarantee of legal compliance.
SUNURA evidence records document operational proof. They do not prove that a customer’s disclosure wording, timing, placement, AI system, content workflow, data-processing activity, or legal interpretation is legally sufficient.
Customers remain responsible for legal review, implementation choices, real deployment, AI-system configuration, public-facing notices, privacy compliance, security configuration, and use of SUNURA outputs.
21. Contact
Security questions, suspected vulnerabilities, suspected misuse, and security incidents may be sent to:
SUNURA Security
Email: [email protected]