We are a security product. Here's how we handle yours.
An honest overview of our infrastructure, access control, application security, AI data handling, and compliance roadmap. For documentation requests, email [email protected].
At a glance
TLS 1.2+
all traffic in transit
AES-256
all data at rest
MFA
all staff access
SOC 2
Type II in progress
01 / Infrastructure
| Cloud hosting | Application runs on AWS. Compute, database, and storage services deployed within isolated VPCs with security groups restricting access to only required ports and services. |
| Data encryption | AES-256 at rest. TLS 1.2 or higher in transit. Unencrypted connections not supported. |
| Database | Production databases in private subnets with no public internet access. Access requires authenticated, encrypted connections from authorized application servers only. |
| Backups | Production databases backed up daily. Backups encrypted and stored in a separate AWS region. Restoration procedures tested quarterly. |
02 / Access control
| MFA required | Multi-factor authentication required for all staff with access to production systems — cloud infrastructure, databases, third-party services. |
| Least privilege | Staff access scoped to what is necessary for the role. Reviewed quarterly. |
| SSO | Internal tooling access managed via a centralized identity provider with SSO enforced. |
| Offboarding | Access revoked within 4 hours of employment termination. |
03 / Application security
| Authentication | Passwords hashed with salted PBKDF2-HMAC-SHA256 (600k iterations); never stored in plain text. Sessions use short-lived signed JWTs. TOTP-based MFA available; new accounts must verify email before first sign-in. |
| Authorization | All data access scoped to the authenticated company. Direct object references validated server-side on every request. |
| Dependency management | Pinned and scanned for known vulnerabilities. Critical CVEs patched within 48 hours. |
| Secret management | Stored in environment variables and secret management services. No secrets in version control. |
| Error monitoring | Captured via Sentry. Error reports do not contain personally identifiable information. |
04 / AI & data handling
What we send to Anthropic (Claude API)
When you run a vendor assessment, the following is sent to Anthropic's Claude API:
| Vendor documents | Publicly available — privacy policy, ToS, trust center pages |
| Company profile | Industry, regulatory obligations, IdP type, MDM type |
| Assessment intent | Vendor name and intended use you provided |
Not sent: employee names, customer data, email addresses, or other personal information. Anthropic's API does not train models on API inputs by default.
05 / Incident response
In the event of a security incident involving your data, we will notify affected customers within 72 hours of discovery, consistent with GDPR Article 33 requirements. Notifications will include the nature of the breach, data affected, and steps taken to remediate.
06 / Compliance roadmap
| Standard | Status |
|---|---|
| SOC 2 Type II | In progress |
| GDPR DPA | Available on request |
| ISO 27001 | Planned |
| HIPAA BAA | Available on Pro+ plans |
07 / Responsible disclosure
If you discover a security vulnerability in Vensider.io, report it to [email protected]. We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate. No bug-bounty program currently, but we are grateful for responsible disclosures.
Need a documentation request?
[email protected] · DPAs, SOC 2 letter of intent, sub-processor list