Security

Security Practices

Authentication & Access Control

• OAuth 2.0 Only - No password storage, leveraging Google and GitHub authentication
• JWT Sessions - Secure, short-lived tokens with automatic rotation
• Rate Limiting - Protection against brute force and DDoS attacks
• IP Monitoring - Suspicious activity detection and automatic blocking

Data Protection

• Encryption at Rest - All databases encrypted with AES-256
• Encryption in Transit - TLS 1.3 for all connections
• Data Minimization - We only store what's necessary for service operation
• Automatic Deletion - Old audit data and logs automatically purged
• Secure Backups - Encrypted backups with 90-day retention

Application Security

• OWASP Top 10 - Protection against all common web vulnerabilities
• Input Validation - All user input sanitized and validated
• SQL Injection Prevention - Parameterized queries and ORM usage
• XSS Protection - Content Security Policy and input escaping
• CSRF Tokens - Protection against cross-site request forgery

Infrastructure Security

• Vercel Platform - Enterprise-grade hosting with built-in DDoS protection
• CDN & WAF - Global content delivery with web application firewall
• Automatic Updates - Dependencies updated weekly, critical patches immediately
• Isolated Execution - Serverless functions run in isolated containers

Compliance

GDPR (General Data Protection Regulation)

• Data processing lawfulness and transparency
• Right to access, rectification, and erasure
• Data portability and restriction of processing
• Breach notification within 72 hours

CCPA (California Consumer Privacy Act)

• Right to know what data is collected
• Right to delete personal information
• Right to opt-out of data sales (we don't sell data)
• Non-discrimination for exercising rights

SOC 2 Type II (In Progress)

We are working towards SOC 2 Type II certification, demonstrating our commitment to:

• Security - Protection against unauthorized access
• Availability - System uptime and reliability
• Confidentiality - Data protection and access controls
• Processing Integrity - Accurate and authorized processing
• Privacy - Collection and use according to privacy notice

Responsible Disclosure

We welcome security researchers and users to report vulnerabilities responsibly.

Reporting a Vulnerability

If you discover a security vulnerability, please:

1. Email us immediately at security@vertaaux.ai
2. Include detailed information:
   • Type of vulnerability
   • Steps to reproduce
   • Potential impact
   • Proof of concept (if applicable)
3. Do not publicly disclose until we've had time to address it
4. Allow 90 days for us to resolve before public disclosure

What We Promise

• Acknowledgment within 24 hours - We'll confirm receipt of your report
• Regular updates - Status updates every 48-72 hours
• Credit - Public acknowledgment in our security hall of fame (if desired)
• No legal action - We won't pursue legal action for good faith research

Bug Bounty Program

We offer rewards for valid security vulnerabilities based on severity:

• Critical: €500 - €2,000 (RCE, SQL injection, authentication bypass)
• High: €200 - €500 (XSS, CSRF, privilege escalation)
• Medium: €50 - €200 (Information disclosure, denial of service)
• Low: €10 - €50 (Minor security issues)

Incident Response

In case of a security incident:

• Detection - 24/7 monitoring with automated alerts
• Assessment - Immediate triage and impact analysis
• Containment - Isolate affected systems within minutes
• Notification - Affected users notified within 72 hours
• Resolution - Root cause analysis and permanent fix
• Post-Mortem - Public incident report published

Security Updates

Subscribe to security notifications at security@vertaaux.ai to receive:

• Security patch announcements
• Incident reports and resolutions
• Security best practices for users

Questions?

For security-related questions, contact:

• Security Team: security@vertaaux.ai
• Compliance: compliance@vertaaux.ai
• Privacy: privacy@vertaaux.ai
• General Support: support@vertaaux.ai