FAQ

Straight Answers to Real Questions

The objections we actually hear — answered honestly, including where the line between free and paid is and what we do and don't do with your data.

Is my data safe with CloviScan?

Yes. Traffic is encrypted in transit (HTTPS/TLS), reports are encrypted at rest, scan data is scoped to your account, and uploaded code is stored privately — never in a public bucket. Full detail is on our Security & Trust page.

Do you store my scan results and code?

We store your reports in your account so you can track fixes and compare re-scans. Code uploaded for static analysis is used to generate findings and isn't retained beyond what's needed to deliver and re-open your report. You can delete any report or your whole account at any time.

How is this different from a header scanner?

A header scanner reads your raw HTML and grades a handful of response headers. CloviScan also reads your rendered page and the network responses your app ships — the JSON and XHR payloads where real leaks hide — plus your source code and your server configuration. The leak usually isn't in the HTML.

Does it work on WordPress?

Yes. CloviScan checks for exposed wp-config.php, outdated plugins with known CVEs, missing security headers, and publicly reachable admin or phpMyAdmin — and gives plain-language fixes. No plugin install required to run an external audit.

What's the difference between free and paid?

The free plan includes 3 scans per month so you can see real findings on your own site. Paid plans add more scans, scheduled monitoring, deeper code/repository analysis, and the pre-launch QC gate. See Pricing for the current breakdown.

Do I need permission to scan a site?

You should only scan assets you own or are authorized to test. Submitting a target confirms you have permission. This keeps your usage within acceptable-use boundaries.

Will scanning slow down or break my site?

An external audit behaves like a normal visitor and a set of targeted requests — it does not attack or attempt to exploit your site. CloviScan reports findings; it does not detonate them against your production system.