Skip to main content
VertaaUXVertaaUX

Security

VertaaUX is operated with production security controls and a documented response process. This page summarizes controls, commitments, and contact paths.

Operational verification snapshot

Last updated: February 16, 2026. Current deployment includes CSP, CSRF protections, OAuth-based authentication, and rate limiting controls.

Infrastructure Security

Hosted on modern cloud infrastructure with monitoring in place. Check our Status page for current system health.

Data Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption and key handling follow platform security controls.

Privacy by Design

Data handling is designed to support GDPR and CCPA obligations. We collect only what's needed to operate the product and we do not sell user data.

Regular Audits

Security hardening and dependency review run continuously, with formal assessment activities scoped through the enterprise program.

Security Practices

Authentication & Access Control

  • OAuth 2.0 Only - No password storage, leveraging Google and GitHub authentication
  • JWT Sessions - Secure, short-lived tokens with automatic rotation
  • Rate Limiting - Protection against brute force and DDoS attacks
  • IP Monitoring - Suspicious activity detection and automatic blocking

Data Protection

  • Encryption at Rest - All databases encrypted with AES-256
  • Encryption in Transit - TLS 1.3 for all connections
  • Data Minimization - We only store what's necessary for service operation
  • Automatic Deletion - Old audit data and logs can be deleted by users; enterprise retention controls are available by contract
  • Secure Backups - Encrypted backups with 30-day retention

Application Security

  • OWASP Top 10 Alignment - Controls designed to reduce common web vulnerability classes
  • Input Validation - All user input sanitized and validated
  • SQL Injection Prevention - Parameterized queries and ORM usage
  • XSS Protection - Content Security Policy and input escaping
  • CSRF Tokens - Protection against cross-site request forgery

Infrastructure Security

  • Vercel Platform - Enterprise-grade hosting with built-in DDoS protection
  • CDN & WAF - Global content delivery with web application firewall
  • Dependency Management - Vulnerability scanning and prioritized patching workflow
  • Isolated Execution - Serverless functions run in isolated containers

Compliance

GDPR (General Data Protection Regulation)

  • Data processing lawfulness and transparency
  • Right to access, rectification, and erasure
  • Data portability and restriction of processing
  • Breach notification within 72 hours

CCPA (California Consumer Privacy Act)

  • Right to know what data is collected
  • Right to delete personal information
  • Right to opt-out of data sales (we don't sell data)
  • Non-discrimination for exercising rights

SOC 2 Type II Program

We are actively working toward SOC 2 Type II certification. The formal audit process has not yet begun, but we have implemented controls aligned with SOC 2 trust service criteria:

  • Security - Protection against unauthorized access
  • Availability - System uptime and reliability
  • Confidentiality - Data protection and access controls
  • Processing Integrity - Accurate and authorized processing
  • Privacy - Collection and use according to privacy notice

Vulnerability Disclosure & Bug Bounty

We welcome responsible security research. Our full Vulnerability Disclosure Policy describes scope, safe harbor protections, reporting guidelines, and our bug bounty program (rewards from €10 to €2,000 based on severity).

Report vulnerabilities to security@vertaaux.ai. We acknowledge reports within 24 hours and provide regular status updates.

Security Acknowledgments

We thank the following individuals for responsibly reporting security issues and helping verify remediations. Public credit is listed with the researcher's consent.

ResearcherDateDetails
Harishwar T13.03.2026Responsibly reported security issues and helped verify the remediation.

Incident Response

In case of a security incident:

  • Detection - 24/7 monitoring with automated alerts
  • Assessment - Immediate triage and impact analysis
  • Containment - Isolate affected systems within minutes
  • Notification - Affected users notified within 72 hours
  • Resolution - Root cause analysis and permanent fix
  • Post-Mortem - Public incident report published

Security Updates

Subscribe to security notifications at security@vertaaux.ai to receive:

  • Security patch announcements
  • Incident reports and resolutions
  • Security best practices for users

Questions?

For security-related questions, contact: