ITAD Tools is a professional IT asset disposition platform that provides AI-powered device specification lookup, real-time eBay market pricing, manufacturer serial number lookups (Dell, HP, Lenovo), and automated inventory management for ITAD businesses.

How does the device specification lookup work?

Enter a model number or service tag and ITAD Tools uses AI to identify the device, pull full specifications including CPU, RAM, storage, and form factor, and provide real-time eBay market pricing to help you value the asset accurately.

Which manufacturers does ITAD Tools support?

ITAD Tools supports serial and service tag lookups for Dell, HP/HPE, and Lenovo devices. The AI-powered spec lookup works with virtually any manufacturer including Apple, Cisco, and other enterprise hardware vendors.

Is ITAD Tools free to use?

ITAD Tools offers a free tier with access to core tools including device lookup and basic inventory management. Premium plans unlock advanced features like bulk processing, automated eBay pricing, and API access.

Security & Compliance

1. Introduction

At ITAD Tools, security is foundational to everything we build. This document describes our Security Agent—an automated security monitoring system that continuously protects our infrastructure, codebase, and user data. The Security Agent operates 24/7 to detect vulnerabilities, monitor for threats, and ensure compliance with security best practices.

2. What is the Security Agent?

The Security Agent is an automated security monitoring service that runs continuously on our infrastructure. It performs the following core functions:

Automated Secret Detection: Scans our entire codebase for exposed credentials, API keys, private keys, and database passwords
File Permission Monitoring: Validates that critical configuration files maintain proper access restrictions
Login Threat Detection: Tracks user authentication events and identifies suspicious access patterns
Continuous Compliance Monitoring: Ensures security controls remain in place and alerts administrators to any deviations

3. Secret and Credential Detection

Our Security Agent continuously monitors our codebase across all application directories using sophisticated pattern-matching algorithms to detect potentially exposed secrets. This includes:

Types of Secrets Detected

API keys (including service-specific keys for third-party integrations)
Database connection strings with embedded credentials
Application secret keys and signing tokens
Email service credentials (SMTP/IMAP passwords)
Bearer tokens and authorization headers
SSH and PEM private keys (RSA, DSA, EC, OpenSSH formats)
Cloud provider credentials (AWS access keys, etc.)
Generic password assignments in code

How Detection Works

The agent uses 19 sophisticated detection patterns that scan all code files including Python, JavaScript, JSON, YAML, configuration files, shell scripts, and environment files. When a potential secret is detected:

The finding is automatically classified by severity (Critical, High, Medium, or Low)
A cryptographic fingerprint is generated to prevent duplicate alerts
The secret value is automatically redacted in all logs and reports
System administrators are immediately notified via email
The finding is tracked until remediation is confirmed

4. File Permission Monitoring

The Security Agent monitors file system permissions on critical configuration files to ensure they maintain proper access restrictions. This includes:

Environment Files: Files containing sensitive configuration (database credentials, API keys) are monitored to ensure they have 0600 permissions (owner read/write only)
Application Directories: Working directories are monitored for proper ownership and access controls
Log Files: Log directories are checked to ensure they cannot be accessed by unauthorized processes

If file permissions deviate from security requirements, administrators are immediately alerted so corrective action can be taken.

5. Login Security and Threat Detection

Every user login to ITAD Tools is monitored for potential security threats. Our login security system tracks:

Monitored Events

New IP Address Detection: When a user logs in from a previously unseen IP address, the event is flagged and recorded
Suspicious Login Patterns: Multiple logins from different IP addresses within a short time window trigger security alerts
Login History: Complete authentication history is maintained for each user account
User Agent Analysis: Browser and device information is recorded to help identify unauthorized access attempts

Threat Response

When suspicious activity is detected, our system:

Flags the login event for administrative review
Records detailed information about the access attempt
Enables administrators to investigate and take appropriate action
Maintains an audit trail for compliance and forensic purposes

6. Automated Scanning Schedule

The Security Agent operates on the following schedule to ensure comprehensive coverage:

Nightly Scans: Full security scans run automatically every day at 1:00 AM Pacific Time
On-Demand Scans: Administrators can trigger immediate scans at any time through the security dashboard
Continuous Monitoring: Login security monitoring runs in real-time with every authentication event

All scan results are stored securely in our database for audit purposes and are accessible to authorized administrators through our security dashboard.

7. Severity Classification

Security findings are classified into four severity levels to help prioritize remediation:

Severity	Description	Examples
Critical	Immediate risk of data breach or system compromise	Private keys, database URIs, cloud provider credentials
High	Significant security risk requiring prompt attention	API keys, secret keys, bearer tokens, hardcoded passwords
Medium	Moderate risk that should be addressed	Encoded credentials, generic authentication tokens
Low	Minor issues or potential false positives	Generic patterns that may require review

8. Data Protection Measures

The Security Agent implements multiple layers of protection for sensitive information:

Secret Redaction

When secrets are detected, they are never stored or logged in plaintext. The agent implements smart redaction that shows only the first 4 characters followed by a redaction marker, preserving enough context for identification while protecting the actual secret value.

Deduplication

Each finding is assigned a cryptographic fingerprint (SHA256 hash) to prevent duplicate alerts and enable efficient tracking of findings through their lifecycle: open, acknowledged, resolved, or marked as false positive.

Access Control

The security dashboard is restricted to administrator accounts only. All access to security findings and the ability to manage finding status is logged and auditable.

Secure Storage

All security findings and audit logs are stored in our encrypted database with complete audit trails maintained for compliance purposes.

9. System Hardening

The Security Agent runs with restricted permissions following the principle of least privilege:

Dedicated Service Account: Runs under a dedicated non-root service account
No New Privileges: Prevented from acquiring additional privileges during execution
System Protection: Cannot modify core system files or directories
Home Protection: Cannot access user home directories
Private Temp: Uses isolated temporary file storage
Kernel Protection: Restricted from kernel modification capabilities

10. Permissions Agent

In addition to the Security Agent, we operate a Permissions Agent that continuously monitors and hardens service configurations across our infrastructure:

Monitors systemd service configurations for security compliance
Proposes hardening improvements based on security best practices
Tracks all services and their permission profiles
Implements approval workflows for permission changes
Maintains complete audit logs of all modifications

11. How This Protects You

Our Security Agent protects your information and data in several ways:

Your Account Security

Login monitoring detects if someone else gains access to your account
New device and location detection helps identify unauthorized access
Suspicious pattern detection catches potential account compromise early

Your Data Protection

Credential scanning prevents accidental exposure of authentication data
File permission monitoring ensures your uploaded data remains protected
Continuous monitoring catches vulnerabilities before they can be exploited

Platform Integrity

Automated scanning ensures our codebase remains free of exposed secrets
System hardening prevents privilege escalation attacks
Audit trails enable rapid investigation and response to any incidents

12. Compliance Standards

Our security practices are designed to align with industry-standard security frameworks and best practices, including:

OWASP Security Guidelines for web application security
CIS Benchmarks for system hardening
Principle of Least Privilege for access control
Defense in Depth security architecture
Continuous monitoring and logging best practices

13. Incident Response

When the Security Agent detects a potential security issue:

Immediate Notification: System administrators receive email alerts for new findings
Severity Assessment: Findings are automatically classified by risk level
Investigation: Security team reviews and investigates the finding
Remediation: Appropriate corrective actions are taken
Verification: Follow-up scans confirm the issue has been resolved
Documentation: All actions are logged for audit and compliance purposes

14. Transparency and Trust

We believe in transparency about our security practices. This document describes the automated security monitoring that protects our platform and your data. We continuously improve our security measures and will update this document as our security capabilities evolve.

15. Questions and Contact

If you have questions about our security practices or want to report a security concern, please contact us:

ITAD Tools Security
Email: admin@itadtools.com
Website: itadtools.com/contact

For security vulnerabilities, please email us directly rather than posting publicly. We take all security reports seriously and will respond promptly.

16. ITAD Industry Compliance

Our platform is designed to support organizations in meeting ITAD-specific compliance requirements:

R2 (Responsible Recycling): Our data destruction certificates document the sanitization process in alignment with R2 requirements for data sanitization. Organizations should maintain these certificates as part of their R2 documentation.
e-Stewards: Our automated certificate generation and verification system supports e-Stewards documentation requirements for data destruction tracking.
NIST 800-88: Our wipe methods include options aligned with NIST 800-88 Rev. 1 guidelines for media sanitization, including Clear and Purge-level methods. Note: NIST 800-88 recommends cryptographic erase or physical destruction for flash-based media (SSDs/NVMe).

Important: ITAD Tools provides software tools to assist with compliance documentation. We do not provide compliance certification. Organizations should verify that their use of our tools meets their specific regulatory requirements.

17. Payment Security (PCI DSS)

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor
ITAD Tools does not store, process, or transmit credit card numbers or payment card data on our servers
All payment pages use TLS 1.2+ encryption
Stripe handles all aspects of card processing, tokenization, and secure storage
Our integration uses Stripe's hosted payment elements, ensuring card data never touches our infrastructure

18. Regulatory Framework Alignment

GDPR (General Data Protection Regulation): We implement technical and organizational measures to protect personal data of EU/EEA users, including data minimization, purpose limitation, and data subject rights (see our Privacy Policy)
CCPA/CPRA (California Consumer Privacy Act): California residents have specific rights regarding their personal information (see our Privacy Policy)
CAN-SPAM: Our email communications comply with CAN-SPAM requirements
COPPA: Our platform is not intended for users under 18; we do not knowingly collect data from children

19. Sub-Processors

We use the following sub-processors to deliver our services. Each has been evaluated for data protection and security practices:

Sub-Processor	Purpose	Location	Compliance
Stripe Inc.	Payment processing	USA	PCI DSS Level 1
Sentry	Error monitoring	USA	SOC 2
MaxMind	IP geolocation	USA	Anonymized (local database, no data sent to MaxMind)
Self-hosted Umami	Analytics	Same infrastructure	No data sharing (self-hosted, privacy-focused, no cookies)

We will update this list if we add or change sub-processors. Enterprise customers requiring advance notification of sub-processor changes can contact us at admin@itadtools.com.

20. Data Processing

We are committed to transparent data processing practices
Our Data Processing Agreement (DPA) is available for all customers who require a formal agreement governing the processing of personal data
We maintain records of processing activities as required by applicable regulations
Data subject requests are responded to within 30 days