Security at Vertos AI

We take security seriously. Here's a transparent look at how we protect your data and our path toward industry certifications.

View Compliance Roadmap|Report a Vulnerability|security.txt

On This Page

Security Overview

Our Commitment

At Vertos AI, security is foundational to everything we build. We implement industry-standard security practices and are transparent about our current capabilities and future goals. We believe in earning your trust through actions, not just certifications.

Security Principles

Defense in Depth

Multiple layers of security controls

Least Privilege

Minimal access required for each role

Privacy by Design

Data protection built into every feature

Transparency

Honest about our security posture

Data Processing Region

Current Data Location

United States

US East (Virginia)

  • Application servers hosted on Vercel (US East)
  • PostgreSQL database on Neon (AWS us-east-1)
  • Authentication via Clerk (US)

Planned Regions

European Union

Ireland (eu-west-1)

Q4 2026

Germany

Frankfurt (eu-central-1)

2027

Contact sales@vertosai.com for enterprise data residency requirements.

Infrastructure Security

Cloud Hosting

Hosted on Vercel's enterprise infrastructure, which maintains:

  • SOC 2 Type II certified infrastructure
  • ISO 27001 certified data centers
  • Global edge network with DDoS protection
Vercel Security

Data Encryption

  • In Transit: TLS 1.3 for all connections (HTTPS enforced)
  • At Rest: AES-256 encryption for stored data
  • Database: Encrypted connections and storage
  • Backups: Encrypted and geographically distributed

Network Security

  • Web Application Firewall (WAF)
  • DDoS mitigation at network edge
  • Rate limiting on API endpoints
  • CORS origin validation

Database Security

  • Managed PostgreSQL with automatic patching
  • Connection pooling with SSL/TLS
  • Point-in-time recovery capability
  • Automated daily backups

Application Security

Authentication

Powered by Clerk, a SOC 2 Type II certified authentication provider:

  • Multi-factor authentication (MFA)
  • Enterprise SSO (SAML/OIDC)
  • Secure session management
  • Password hashing with bcrypt
Clerk Security

Authorization & Access Control

  • Role-based access control (RBAC)
  • Organization-level permissions
  • API key scoping and rotation
  • Audit logging for admin actions

Security Testing & Development

  • Automated dependency vulnerability scanning
  • Static code analysis in CI/CD
  • Code review requirements for all changes
  • Input validation and sanitization
  • OWASP Top 10 vulnerability prevention
  • Content Security Policy (CSP) enforcement

Data Protection

Data We Collect

  • Account information (name, email, company)
  • Service usage data and analytics
  • Customer data you choose to import
  • Communication history within the platform
  • Payment information (processed by Stripe)

See our Privacy Policy for complete details.

How It's Protected

  • Encrypted at rest and in transit
  • Isolated by organization/tenant
  • Access logged and monitored
  • Regular automated backups

Data Retention

  • Active accounts: Data retained while account is active
  • Closed accounts: Data deleted within 30 days
  • Backups: Retained for 90 days, then purged
  • Logs: Retained for 12 months for security

Your Rights

  • Request access to your data
  • Request data correction or deletion
  • Export your data in standard formats
  • Opt out of non-essential processing

Contact privacy@vertosai.com to exercise these rights.

Compliance Roadmap

We believe in being transparent about our compliance status. Here's where we are and where we're headed:

Current Status

Active
  • Infrastructure hosted on SOC 2 Type II certified providers (Vercel, AWS)
  • Authentication via Clerk (SOC 2 Type II certified)
  • Payment processing via Stripe (PCI DSS Level 1)
  • GDPR and CCPA compliant data handling practices

SOC 2 Type II Certification

In Progress

We are actively working toward our own SOC 2 Type II certification covering security, availability, and confidentiality trust principles.

Expected completion: Q3 2026

ISO 27001 Certification

Planned

Following SOC 2 certification, we plan to pursue ISO 27001 certification for international customers.

Target: 2027

Note: While we leverage SOC 2 certified infrastructure providers, Vertos AI as an organization is not yet independently SOC 2 certified. We are committed to achieving this certification and will update this page as we progress.

Security Practices

Employee Security

  • Security awareness training
  • MFA required for all systems
  • Principle of least privilege
  • Secure development guidelines

Vendor Security

  • Security assessment for vendors
  • DPA with all sub-processors
  • Regular vendor review
  • Sub-processor list

Incident Response

  • Documented response plan
  • 24-hour notification commitment
  • Post-incident analysis
  • Regular plan testing

Security Headers

We implement security headers to protect against common web vulnerabilities. These headers are set on all responses from our application.

Content-Security-Policy
Active
Nonce-based CSP

Prevents XSS attacks by controlling which resources can be loaded. We use nonce-based CSP for strict inline script control.

Strict-Transport-Security
Active
max-age=31536000; includeSubDomains

Forces HTTPS connections for one year, including all subdomains.

X-Content-Type-Options
Active
nosniff

Prevents browsers from MIME-sniffing a response away from the declared content-type.

X-Frame-Options
Active
DENY

Prevents the page from being embedded in frames, protecting against clickjacking attacks.

X-XSS-Protection
Active
1; mode=block

Enables the browser's built-in XSS filter (legacy browsers).

Referrer-Policy
Active
strict-origin-when-cross-origin

Controls how much referrer information is included with requests.

Permissions-Policy
Active
camera=(), microphone=(), geolocation=()

Restricts access to browser features we don't need, reducing attack surface.

Cross-Origin-Opener-Policy
Active
same-origin

Isolates the browsing context, protecting against cross-origin attacks.

Verification: You can verify these headers by inspecting the network tab in your browser's developer tools, or using tools like securityheaders.com.

Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities. We commit to working with you to understand and resolve issues quickly.

How to Report

  1. Email security@vertosai.com with details
  2. Include steps to reproduce the issue
  3. Provide your contact information
  4. Allow reasonable time for us to respond (typically 48h)
security@vertosai.comsecurity.txt

Our Commitment

  • Acknowledge reports within 48 hours
  • Provide status updates during investigation
  • Credit researchers in acknowledgments (optional)
  • No legal action for good-faith research

Note: We do not currently offer a paid bug bounty program, but we're happy to acknowledge researchers who help improve our security.

Need Security Documentation?

Enterprise customers can request security questionnaire responses, architecture documentation, and DPAs.

Contact Security Team
← Back to Home