Security & Privacy

Built to be trusted with your competitive data

Argus monitors only public, legal sources. Your account data is encrypted, your passwords are never stored in plain text, and we don't sell your data or train AI models on it.

How we protect your account and data
🔐

Authentication & passwords

Passwords are hashed using bcrypt before storage — we never store plain-text passwords and cannot recover them. Password reset uses single-use expiring tokens sent to your email.

  • Session cookies are HTTP-only and rotate on login
  • Rate limiting on login attempts — 5 per minute per IP
  • API keys use 32-byte URL-safe tokens (256 bits of entropy)
💳

Payments

Payments are processed by Stripe. Argus never sees or stores your card number — all payment data lives entirely within Stripe's PCI-compliant environment.

  • No card numbers stored on Argus servers
  • Stripe handles all billing, invoices, and card storage
  • Subscription changes and cancellations processed via Stripe Billing
🗄️

Data storage & transport

All traffic is served over HTTPS/TLS. Your data is stored in a SQLite database with WAL mode for durability, hosted on Railway's managed infrastructure in the US.

  • TLS 1.2+ enforced on all connections
  • Database snapshots taken automatically by Railway
  • No unencrypted storage of sensitive fields
📊

Analytics & tracking

Argus does not use third-party analytics trackers (no Google Analytics, Meta Pixel, or equivalent). Your browsing behavior within the product is not sold or shared.

  • No advertising pixels or retargeting scripts
  • No session recording tools (Hotjar, FullStory, etc.)
  • Server-side logging only for debugging and abuse prevention
🛡️

Application security

We take a defense-in-depth approach with input validation, rate limiting, and access controls enforced at the API layer on every endpoint.

  • IDOR (insecure direct object reference) protections on all data endpoints
  • Per-user and per-IP rate limiting on all AI generation endpoints
  • Plan-based access gating enforced server-side — not just in the UI
  • Webhook payloads signed with HMAC for integrity verification
🔍

Intelligence sources

Argus monitors 100% publicly available, legal sources only — no private databases, no unauthorized access, no scraping of authenticated content.

  • GitHub public repos, public job boards, public news and filings
  • OSINT sources (breach monitors, paste sites) that are themselves publicly accessible
  • SimilarWeb public data endpoint for traffic estimates
  • No monitoring of private communications or individuals
🤖

AI & your data

Argus uses Anthropic's Claude API to score and analyze signals. Your data is not used to train AI models.

  • Signals are sent to Claude for scoring/summarization via Anthropic's API
  • Anthropic's API does not use submitted data for model training (per their API terms)
  • No user-identifying data is included in AI prompts
📋

SOC 2 & compliance

Argus is not yet SOC 2 certified — we're an early-stage product and formal audits are on our roadmap as we scale. We've built our security controls with SOC 2 Trust Service Criteria in mind.

  • Access control — least-privilege, plan-gated API access enforced server-side
  • Availability — Railway managed hosting with automatic restarts and persistence
  • Confidentiality — no plain-text passwords, HTTPS-only, no third-party trackers
  • Enterprise customers can request our security practices summary via email
🗑️

Data retention & deletion

You can delete your account and all associated data at any time. Signal data is stored until deleted.

  • Account deletion removes all companies, signals, briefs, and battlecards
  • Email us at hello@argusintel.net to request full deletion
  • Signal history is scoped to your plan's retention window
What we don't do

Our commitments

We don't sell your data. Your company list, signals, and usage data are never sold to third parties or advertisers.
We don't monitor individuals. Acceptable use explicitly prohibits using Argus to track private individuals. Our platform is for monitoring public company activity only.
We don't use tracking pixels. No Google Analytics, Meta Pixel, or advertising trackers on any page.
We don't store card data. Payment processing is handled entirely by Stripe. Argus never touches card numbers.
We don't train models on your data. Anthropic's API terms prohibit using API-submitted data for training, and we don't do it ourselves either.
We don't access private sources. All 30+ intelligence sources are publicly accessible — no unauthorized access, no private database purchases.
Responsible disclosure
📧
Found a security issue? Email hello@argusintel.net with details. We respond within 48 hours and will coordinate a fix before any public disclosure. We don't pursue legal action against good-faith security researchers.

Questions about security or data handling?

Email hello@argusintel.net — we respond to all security and privacy questions personally, not via a ticket queue.