Trust Center

Penetration testing

Last reviewed: 2026-05-25

Current status

No third-party penetration test has been completed yet. The first external test is scheduled for November 2026, six months after launch, and on an annual cadence thereafter. This page is updated to reflect the executive summary of each test as it completes.

In the meantime, the application surface is exercised by:

Planned cadence

CadenceScopeTesterStatus
AnnualAuthenticated application (Fly Sydney), API, Supabase RLS surface, authentication and session handling, file-upload pipeline, AI feature surfaces and prompt-injection resistance.Independent Australian security firm (engagement scheduled).First test: November 2026.
Pre-major-releaseTargeted re-test of any new high-risk surface introduced since the last annual.Same firm or specialist as appropriate.As required.

How findings are handled

A summary appears in the table below after each engagement, including the date of the test, the firm, the scope tested, and the count of findings remediated by severity. The full report is shared under NDA with customers, prospects, and auditors on request.

Engagements

DateFirmScopeCriticalHighMediumLow/InfoRemediated by
(scheduled — November 2026)TBA(per scope above)

Change log

DateChange
2026-05-25Initial publication. First external test scheduled November 2026.

← Back to the Trust Center