IATO is hosted on industry-standard cloud infrastructure with enterprise-grade physical and network security. All data is stored in encrypted-at-rest databases, and all communications between your browser and our servers are encrypted using TLS 1.2 or higher.
User authentication is handled through secure JWT tokens with configurable expiration. API keys use cryptographic hashing and are never stored in plaintext. Our role-based access control (RBAC) system supports Owner, Admin, Member, and Viewer roles with granular permission boundaries.
Crawl data is isolated per workspace. Users in one workspace cannot access data belonging to another. We do not sell, share, or use your crawl data for any purpose other than providing the service you have requested. All data processing occurs within our secured infrastructure.
Our REST API and MCP server enforce authentication on every request. Rate limiting protects against abuse. All API endpoints are served exclusively over HTTPS, and webhook payloads are signed using HMAC-SHA256 so you can verify their authenticity.
IATO's crawler respects robots.txt directives, crawl-delay rules, and nofollow/noindex instructions. It identifies itself with a clear user-agent string. You control what gets crawled, how deep, and at what speed — we never crawl sites you don't own or haven't authorized.
If you discover a security vulnerability in IATO, please report it responsibly to [email protected]. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against researchers who report vulnerabilities in good faith.
This page was last updated on February 19, 2026.