Security & Privacy
CyberDoc handles sensitive security assessment data. This page documents the platform's approach to data collection, privacy compliance, security hardening, and data retention.
Australian Privacy Act Compliance
CyberDoc is designed to comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Key compliance measures:
| APP | Principle | CyberDoc Implementation |
|---|---|---|
| APP 1 | Open and transparent management | Privacy policy accessible from all pages. This documentation describes all data handling practices. |
| APP 3 | Collection of solicited personal information | Only name, email, and optionally domain are collected. Collection is necessary for the service (scan results delivery). |
| APP 5 | Notification of collection | Users are informed at the point of collection (lead form) what data is collected and why. |
| APP 6 | Use or disclosure | Data is used only for scan assessment and report delivery. Not shared with third parties except AI providers for analysis (see Third-Party Services). |
| APP 8 | Cross-border disclosure | Data processed by cloud infrastructure providers and AI services. Users are notified of cross-border processing. |
| APP 11 | Security of personal information | All data encrypted in transit (TLS 1.3) and at rest (Cloudflare KV encryption). Access restricted by API key authentication. |
| APP 13 | Correction of personal information | Users can request correction or deletion by contacting the administrator. |
Data Collection
CyberDoc collects the following data during a scan session:
| Data | Source | Purpose | Sensitivity |
|---|---|---|---|
| Name | Lead form (user input) | Report personalisation, admin identification | Personal |
| Lead form (user input) | Report delivery, breach check | Personal | |
| Domain | Lead form (optional, user input) | Deep scan target | Business |
| IP address | Automatically captured | Geo-location for admin map, rate limiting | Personal |
| User agent | Automatically captured | Device/browser context for diagnosis | Technical |
| Scan data | Questionnaire (user input) | Security hygiene assessment | Security profile |
| Pen test results | Browser-side checks | Browser security assessment | Security profile |
| Lab scan results | Server-side scanning | Domain security assessment | Security profile (sensitive) |
| Voice transcript | Voice agent session | Consultation record | Personal + Security |
Lab scan results are highly sensitive.
Lab scan output may include discovered vulnerabilities, exposed ports, origin IPs, and other information that could be exploited. Access is restricted to authenticated admins only.
Consent Mechanism
CyberDoc implements a two-layer consent model:
Layer 1: Lead Submission (Turnstile)
- Cloudflare Turnstile widget verifies the user is human (no CAPTCHA — invisible challenge)
- Turnstile token sent with lead form and verified server-side
- Implicit consent to security check by submitting the form
Layer 2: Pen Test Consent (Explicit)
- Before any browser pen test checks execute, a consent screen is displayed
- The consent text explains exactly what will be tested
- User must click "I Consent — Run Scan" to proceed
- Consent record is stored in KV with full audit trail:
{
"consent_id": "con_x1y2z3",
"scan_id": "scan_a1b2c3d4",
"type": "pentest",
"ip": "203.0.113.10",
"user_agent": "Mozilla/5.0...",
"turnstile_token": "0.xxx...",
"timestamp": "2026-03-28T10:32:15.000Z",
"text_shown": "CyberDoc will now perform browser-side security checks..."
}The full consent text shown to the user is recorded alongside the consent record for legal auditability.
Data Retention
| Data Type | KV Namespace | Retention Period | Auto-Expiry |
|---|---|---|---|
| Scan results | SCANS | 90 days | Yes (KV TTL) |
| Consent records | CONSENTS | 1 year | Yes (KV TTL) |
| Support tickets | TICKETS | 180 days | Yes (KV TTL) |
| Voice session logs | VOICE_LOG | 180 days (6 months) | Yes (KV TTL) |
| Lab scan results | LAB_SCANS | 90 days | Yes (KV TTL) |
All data is automatically deleted by Cloudflare KV when the TTL expires. No manual purging is needed. Admins can also manually delete individual records before TTL expiry via the dashboard.
Third-Party Services
CyberDoc sends data to the following third-party services:
| Service | Provider | Data Sent | Purpose | Location |
|---|---|---|---|---|
| Edge hosting | Cloudflare | All data (storage + transit) | Hosting, storage, edge delivery | Global |
| Bot protection | Cloudflare | Challenge token, IP | Bot verification | Global |
| AI diagnosis | Third party | Scan results (anonymisable) | AI-powered analysis | US |
| Voice agent | Third party | Scan context + voice audio | Voice consultation | US |
| Breach data | Third party | Email address (hashed) | Breach database lookup | Global |
Data minimisation.
When sending data to AI providers, only the scan results and scores are transmitted — not the user's name or email. The AI receives anonymised findings and returns a diagnosis. The association between diagnosis and user identity exists only in CyberDoc's own KV storage.
Security Headers
CyberDoc sets the following security headers on all responses:
Content-Security-Policy (CSP)
Content-Security-Policy:
default-src 'self';
script-src 'self' https://challenges.cloudflare.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://challenges.cloudflare.com wss://voice.x.ai;
frame-src https://challenges.cloudflare.com;
img-src 'self' data:;
object-src 'none';
base-uri 'self';
form-action 'self';The CSP allows unsafe-inline for styles only (required for React inline styles). Scripts are restricted to same-origin and the Turnstile challenge domain. WebSocket connections are allowed to the Grok Voice endpoint.
Other Security Headers
| Header | Value | Purpose |
|---|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | Enforce HTTPS for 1 year, including subdomains |
X-Content-Type-Options | nosniff | Prevent MIME type sniffing |
X-Frame-Options | DENY | Prevent clickjacking (no iframe embedding) |
Referrer-Policy | strict-origin-when-cross-origin | Limit referrer information to origin only on cross-origin requests |
X-XSS-Protection | 0 | Disabled (modern CSP is preferred; legacy XSS filter can introduce vulnerabilities) |
Permissions-Policy
Permissions-Policy:
camera=(),
geolocation=(),
payment=(),
usb=(),
magnetometer=(),
gyroscope=(),
accelerometer=(),
microphone=(self)All browser features are disabled except microphone (required for the voice agent, restricted to same-origin only).
HTTPS Enforcement
- Cloudflare Pages enforces HTTPS by default — HTTP requests are redirected to HTTPS with a 301
- HSTS header ensures browsers never attempt HTTP after first visit
- TLS 1.3 is the minimum supported protocol version (configured in Cloudflare SSL/TLS settings)
- Automatic certificate provisioning and renewal via Cloudflare
Security Standards Coverage
CyberDoc's scanning tools cover multiple OWASP security standards, providing comprehensive vulnerability assessment across web applications, APIs, and AI-integrated systems:
| Standard | Coverage | CyberDoc Tools |
|---|---|---|
| OWASP Top 10 (Web) | 14 checks covering injection, broken auth, XSS, CSRF, SSRF, misconfigurations, and more | webapp, owasp, nuclei |
| OWASP API Security Top 10 (2023) | 8 checks covering broken authentication, excessive data exposure, broken function-level authorization, unrestricted resource consumption, and security misconfiguration | api |
| OWASP Top 10 for LLM Applications (2025) | 8 checks covering prompt injection, insecure output handling, training data poisoning indicators, model DoS, supply chain vulnerabilities, and sensitive information disclosure | ai |
Continuous alignment.
The scanning tools are regularly updated to reflect the latest OWASP guidance. The API security scanner follows the OWASP API Security Top 10 (2023 edition), while the AI/LLM scanner implements checks from the OWASP Top 10 for Large Language Model Applications (2025 edition). Together with the traditional OWASP Top 10 web application checks, CyberDoc provides coverage across modern application architectures including traditional web apps, REST/GraphQL APIs, and AI-powered applications.
Scan Security
Browser-Side Checks
- All 8 browser pen test checks run entirely in the user's browser — no data is sent to external servers during the scan itself
- Results are sent to the CyberDoc API only after all checks complete
- No network probes are performed against external systems
- Explicit consent is required before any checks execute
Server-Side Lab Scans
- Scanner runs in an isolated container environment
- Each scan request is authenticated with shared secrets
- Scanner has no access to CyberDoc's KV data or user information — it only receives the target domain/IP
- Scan output is returned to the Pages Function, which stores it in KV
- Scanner tools run with limited privileges inside the container
- No persistent storage on the scanner — each request is stateless
Incident Response
In the event of a security incident:
- Rotate all API keys — All service API keys and secrets should be rotated immediately
- Review admin access logs — Check Cloudflare Analytics for unusual admin API traffic patterns
- Audit KV data — Review recent scan records for unauthorized access or data exfiltration
- Notify affected users — If personal data was compromised, notify affected users per APP 11 obligations
- Report to OAIC — If a notifiable data breach occurred, report to the Office of the Australian Information Commissioner within 30 days
Security Contact
To report a security vulnerability in CyberDoc, contact the development team directly. Do not file a public issue for security-sensitive reports.