You trust ShieldIQ with your firewall configurations — the keys to your network. We take that seriously. Here's exactly how we protect your data.
We never store your firewall configurations. Configs are processed in memory and immediately discarded. We store findings and scores — never your raw configs, IP addresses, or network topology. Even if our database were compromised, your network architecture would not be exposed.
Firewall configurations are parsed entirely in memory during the audit. Raw config content is never written to disk, never stored in a database, and never logged. Once the audit completes, the config is discarded. We store only the findings, risk scores, and remediation guidance — never your network topology, IP ranges, or rule logic.
All data in transit is encrypted with TLS 1.2+. Data at rest (findings, credentials, reports) is encrypted with AES-256. API credentials for scheduled audits are encrypted using a dedicated encryption key that is separate from application secrets. Database connections use SSL.
User authentication uses bcrypt-hashed passwords (cost factor 12) with JWT tokens. Sessions use httpOnly refresh tokens that cannot be accessed by client-side JavaScript. Multi-tenant isolation ensures organizations can never access each other's data. Role-based access (Owner, Admin, Analyst, Viewer) enforces least-privilege across every API endpoint.
Every action in ShieldIQ — logins, audit runs, setting changes, data exports — is recorded in an append-only audit log. Logs cannot be modified or deleted, even by administrators. This provides a tamper-proof record for compliance evidence and incident investigation.
When AI analysis is enabled, only individual finding descriptions are sent to Anthropic's Claude API — never full configurations, IP addresses, or network topology. AI prompts are sanitized to remove any residual sensitive data. Anthropic does not train on API inputs. AI analysis is optional and can be disabled per-organization.
ShieldIQ runs on dedicated infrastructure (not shared hosting). The application is containerized with Docker, minimizing attack surface. Database access is restricted to application containers only — no public database ports. SSL certificates auto-renew via Let's Encrypt. All dependencies are version-pinned and regularly audited.
All user inputs are validated with strict schemas (Pydantic on the backend, Zod on the frontend). SQL injection is prevented by SQLAlchemy's parameterized queries. XSS is prevented by React's default escaping and Content Security Policy headers. Rate limiting protects against brute force and abuse. CORS is restricted to the application domain only.
ShieldIQ's audit engine normalizes all firewall configs to a vendor-neutral format before analysis. This means your vendor-specific configuration syntax, proprietary features, and device identifiers are stripped during parsing. The 15 security checks operate on abstract rule objects — not raw config files.
Findings map to specific PCI-DSS controls (1.2.1, 1.3.1, 1.3.2, etc.). Reports formatted as audit evidence.
Controls mapped to AC, SC, AU, and CM families. Supports federal and defense contractor compliance.
Mapped to CIS Control 4 (Secure Configuration) and Control 13 (Network Monitoring and Defense).
Found a security vulnerability? We want to hear about it. Please report security issues to security@getshieldiq.com. We commit to acknowledging reports within 48 hours and providing a timeline for resolution. We will not take legal action against researchers who act in good faith.
Have security questions? We're happy to discuss our practices in detail.