Dr. Deploy
Start −50%
Pricing Open Install Changelog Source on GitHub Sign in
Disclosure

Operator Disclosure

Effective May 13, 2026

We try to be honest about how the business works and what's behind the recommendations you see in scan results. This page is the running log of relationships, conflicts, and choices a customer should know about.

Who runs this

Dr.Deploy is operated by an indie founder. No outside investors. No board. We'll update this page if either of those changes.

Affiliate / referral relationships

We do not currently have any paid affiliate or referral relationships with the providers we mention in scan recommendations (OpenAI, Anthropic, AWS, Stripe, Cloudflare, Vercel, Netlify, etc.). When we tell you to "rotate this key in IAM right now," it's because that's what you should do — not because we're paid to send you to AWS.

If we ever DO add an affiliate relationship, it'll be disclosed here in this section, AND inline in any recommendation that's affected. We'll never have an undisclosed affiliate relationship that influences scan output.

Vendors we pay

Listed in our Privacy Policy sub-processors section. We pay them for service; we don't get kickbacks from them.

How we handle leaked credentials we discover

We catch leaked secrets in the live JS bundles you tell us to scan. Standing policy:

  • Findings are stored as HMAC-SHA256 digests, not raw strings. The dashboard shows redacted prefixes/suffixes only.
  • We do not test the credentials against the issuing service. The leak is detected by pattern alone.
  • We do not ourselves disclose findings to the issuing vendor (OpenAI, etc.). That's the operator's call.
  • If a customer asks us to delete a finding (because they've rotated and want it scrubbed from history), we delete it within 30 days. R2 backup retention is 7 days, so a deleted finding is fully gone within 7-37 days depending on timing.

Scan severity calibration

Severity ratings ("critical / warn / info") are our judgment calls based on what would happen if the finding were exploited. They're tuned for typical indie-SaaS risk profiles. If your threat model is enterprise / regulated industry, your severity calibration might differ — flag findings to false-positive in the dashboard or reach out and we'll adjust the underlying rules.

Conflicts of interest log

As of May 2026: none disclosed. This space stays here so future entries have a stable URL.

Past changes to this page

  • May 13, 2026 — initial publication.

Contact

Questions, suspected undisclosed conflict, or a vendor relationship change you think should be on this page: [email protected].