Built to be trusted by medical device teams.

At a glance

Infrastructure & hosting

Threat Detective runs on dedicated bare-metal servers at Hetzner. We chose dedicated infrastructure deliberately: no shared tenancy means no noisy-neighbour or cross-tenant escape risk, and we have full control over the hardware and software stack.

Cloudflare sits in front of all our services, providing:

• DNS with DNSSEC
• TLS termination at the edge, with re-encryption to our origin over HTTPS (Full Strict mode)
• DDoS mitigation

Our origin servers only accept web traffic from connections presenting a valid Cloudflare origin certificate. All other inbound traffic is blocked at the firewall.

Data residency

Threat Detective is offered in two deployment models:

Standard (Pre-Market and Post-Market plans). All customer data is hosted at Hetzner's Falkenstein, Germany data centre. Data is stored and processed within the European Union and is not transferred outside the EU.

Private Cloud. Customers can choose where their data is hosted: European Union, United Kingdom, or United States. Private Cloud is a single-tenant deployment, isolated from other Threat Detective customers. This is the right choice if you have specific data residency requirements (for example, US customers preferring data to stay onshore, or UK NHS customers requiring UK hosting).

Authentication & access

How customers sign in

On the Standard plans, customers sign in with a username and password. Passwords are hashed and salted at rest. Customers can also authenticate with:

• Sign in with Google (OAuth 2.0)
• Sign in with GitHub (OAuth 2.0)

We encourage all users to add a passkey (WebAuthn / FIDO2) as a second factor. Passkeys are phishing-resistant by design, and adding one protects accounts even if a password is compromised.

Private Cloud customers can authenticate via enterprise SAML 2.0 or OIDC SSO, integrated with their identity provider (Okta, Entra ID, Google Workspace, and others). This supports centralised access management, automated provisioning, and immediate offboarding.

How we access your data

Threat Detective is currently operated by a single founder. This means:

• There is one production access path, secured by hardware-backed authentication keys.
• All production access is logged.
• Production credentials are protected by hardware-backed authentication and never stored in plaintext on disk.
• There is no shared access, no service accounts with standing credentials, and no third-party support staff with access to customer data.

As we grow, we will move to a least-privilege role-based model with documented access reviews. We will publish updates to this page as those controls are introduced.

Encryption

• In transit: TLS 1.3 and TLS 1.2 for all customer-facing traffic, with modern cipher suites only (ECDHE key exchange, AEAD ciphers). TLS 1.0 and 1.1 are disabled. HSTS is enabled.
• At rest: AES-256 for databases, object storage, and backups. Encryption keys are managed separately from the data they protect and rotated on a defined schedule.
• Secrets: Application secrets and API keys are managed through a dedicated secrets manager and never committed to source control.

Data handling

What we collect

We collect only what is needed to operate the service: account information (name, email, organisation), the SBOMs and software metadata you upload, vulnerability data we generate or fetch on your behalf, and standard operational telemetry (logs, metrics).

Tenant isolation

On the Standard plans, customer data is logically isolated at the database and application layer. Every query is scoped to the authenticated tenant. We do not commingle data between customers.

On Private Cloud, customer data is physically isolated in a dedicated single-tenant deployment.

Retention and deletion

Customer data is retained for the duration of your subscription. On termination, data is deleted within 30 days, and from backups within 90 days.

You can request export or deletion of your data at any time by emailing privacy@threatdetectivehq.com.

Backups and disaster recovery

• Automated daily backups of all customer data.
• Backups are encrypted at rest and stored in a separate failure domain from production.
• Restore procedures are tested regularly.
• Target Recovery Time Objective (RTO): 24 hours.
• Target Recovery Point Objective (RPO): 24 hours.

Product security

Secure development

• All code changes go through pull request review before merging to production.
• Automated static analysis (SAST) runs on every pull request.
• Dependency scanning runs continuously; we fix critical and high vulnerabilities to defined SLAs (see our VDP for the same SLAs we apply to reported issues).
• Infrastructure changes are version-controlled and peer-reviewed.

Eating our own dog food

Threat Detective is a SBOM management product, and we publish our own SBOM. You can see it at /trust/sbom. It includes:

• The components and versions that make up our application.
• The vulnerabilities we are tracking and our remediation status.
• Our patching cadence.

If you want to know how seriously a vendor takes supply chain security, ask them for their SBOM. We give ours away.

Vulnerability disclosure

We operate a published Vulnerability Disclosure Policy aligned with the NCSC toolkit and ISO/IEC 29147. A security.txt file is published at /.well-known/security.txt.

Penetration testing

An independent third-party penetration test is scheduled. Once complete, a summary letter will be available to customers and prospects under NDA. We will move to an annual cadence.

Operational security

Logging and monitoring

Application and infrastructure logs are centralised and retained for security investigation. We monitor for anomalous authentication, configuration changes, and unusual data access patterns.

Incident response

We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and in any event within 72 hours of confirmation, in line with UK GDPR Article 33.

Compliance & regulatory posture

Where we are today

• UK GDPR / EU GDPR: We comply with both. A Data Processing Addendum (DPA) is available on request from privacy@threatdetectivehq.com.
• ISO/IEC 29147 (vulnerability disclosure): Our VDP is aligned.

Where we are heading

We have made a deliberate decision not to pursue SOC 2 or ISO 27001 certification at our current stage, in favour of investing in real security controls and transparency. We will revisit certification as we grow, and will update this page when we commit to a timeline.

In the meantime, we provide the underlying evidence that procurement teams need to make their own assessment: pen test summaries, our SBOM, this trust page, and our VDP.

Supporting your regulatory obligations

Threat Detective is built specifically for medical device manufacturers operating under:

• FDA premarket cybersecurity submission requirements (510(k), De Novo, PMA), including SBOM and known vulnerability documentation per the FDA's Cybersecurity in Medical Devices guidance.
• EU MDR Annex I clause 17.2 (software lifecycle, repeatability, reliability, performance).
• EU Cyber Resilience Act Article 13 and Annex I, including SBOM provision and vulnerability handling obligations.
• IEC 81001-5-1 and AAMI TIR57 alignment for software lifecycle and risk management.

If you need help mapping Threat Detective's outputs to a specific regulatory submission, we are happy to assist.

Subprocessors

We use a small number of third-party services to operate Threat Detective. The current list is published at /trust/subprocessors. We will notify customers of material changes via email.

Contacting us

For PGP-encrypted communication, our key is at /.well-known/pgp-key.asc.