Security at Vertos AI
We take security seriously. Here's a transparent look at how we protect your data and our path toward industry certifications.
On This Page
Security Overview
Our Commitment
At Vertos AI, security is foundational to everything we build. We implement industry-standard security practices and are transparent about our current capabilities and future goals. We believe in earning your trust through actions, not just certifications.
Security Principles
Defense in Depth
Multiple layers of security controls
Least Privilege
Minimal access required for each role
Privacy by Design
Data protection built into every feature
Transparency
Honest about our security posture
Data Processing Region
Current Data Location
United States
US East (Virginia)
- Application servers hosted on Vercel (US East)
- PostgreSQL database on Neon (AWS us-east-1)
- Authentication via Clerk (US)
Planned Regions
European Union
Ireland (eu-west-1)
Germany
Frankfurt (eu-central-1)
Contact sales@vertosai.com for enterprise data residency requirements.
Infrastructure Security
Cloud Hosting
Vertos AI runs on Vercel's enterprise infrastructure. Vertos AI itself is not independently certified — we inherit security posture from our providers:
- Vercel's infrastructure is SOC 2 Type II certified
- Vercel's data centers are ISO 27001 certified
- Global edge network with DDoS protection
Data Encryption
- In Transit: TLS 1.3 enforced site-wide; TLS 1.2 minimum for legacy integrations. HSTS preload enabled.
- At Rest: AES-256-GCM for database storage, managed by AWS KMS with automatic key rotation.
- Application-Layer Encryption: Sensitive credentials (third-party API tokens, OAuth refresh tokens) are additionally encrypted with AES-256-GCM at the application layer before they reach the database, so a database snapshot alone cannot reconstruct them.
- Database: Encrypted connections (TLS 1.3) and encrypted volumes; no plaintext storage of customer data.
- Backups: AES-256 encrypted, geographically replicated, and rotated on a 90-day retention window.
Network Security
- Web Application Firewall (WAF)
- DDoS mitigation at network edge
- Rate limiting on API endpoints
- CORS origin validation
Database Security
- Managed PostgreSQL with automatic patching
- Connection pooling with SSL/TLS
- Point-in-time recovery capability
- Automated daily backups
Application Security
Authentication
Powered by Clerk, a SOC 2 Type II certified authentication provider:
- Multi-factor authentication (MFA)
- Enterprise SSO (SAML/OIDC)
- Secure session management
- Password hashing with bcrypt
Authorization & Access Control
- Role-based access control (RBAC)
- Organization-level permissions
- API key scoping and rotation
- Audit logging for admin actions
Security Testing & Development
- Automated dependency vulnerability scanning on every commit
- Static code analysis in CI/CD
- Pull-request code review required before merge to main
- Input validation via Zod schemas at every external boundary
- OWASP Top 10 vulnerability prevention
- Content Security Policy (CSP) enforcement
Penetration Testing
We have not yet commissioned a third-party penetration test. This is a known gap and is scheduled as part of our SOC 2 Type II work in Q3 2026.
- Initial external pen test: planned Q3 2026 as part of SOC 2 readiness
- Annual pen test cadence after SOC 2 certification
- Responsible-disclosure program is live today — see below
Data Protection
Data We Collect
- Account information (name, email, company)
- Service usage data and analytics
- Customer data you choose to import
- Communication history within the platform
- Payment information (processed by Stripe)
See our Privacy Policy for complete details.
How It's Protected
- Encrypted at rest and in transit
- Isolated by organization/tenant
- Access logged and monitored
- Regular automated backups
Data Retention
- Active accounts: Data retained while account is active
- Closed accounts: Data deleted within 30 days
- Backups: Retained for 90 days, then purged
- Logs: Retained for 12 months for security
Your Rights
- Request access to your data
- Request data correction or deletion
- Export your data in standard formats
- Opt out of non-essential processing
Contact privacy@vertosai.com to exercise these rights.
Compliance Roadmap
We believe in being transparent about our compliance status. Here's where we are and where we're headed:
Current Status
Active- Infrastructure hosted on SOC 2 Type II certified providers (Vercel, AWS)
- Authentication via Clerk (SOC 2 Type II certified)
- Payment processing via Stripe (PCI DSS Level 1)
- GDPR and CCPA compliant data handling practices
SOC 2 Type II Certification
In ProgressWe are actively working toward our own SOC 2 Type II certification covering security, availability, and confidentiality trust principles.
ISO 27001 Certification
PlannedFollowing SOC 2 certification, we plan to pursue ISO 27001 certification for international customers.
Note: While we leverage SOC 2 certified infrastructure providers, Vertos AI as an organization is not yet independently SOC 2 certified. We are committed to achieving this certification and will update this page as we progress.
Security Practices
Employee Security
- Security awareness training
- MFA required for all systems
- Principle of least privilege
- Secure development guidelines
Vendor Security
- Security assessment before onboarding any new sub-processor
- Signed DPA on file with every sub-processor
- Annual review of each sub-processor's security posture
- 30-day advance notice to customers before adding a new sub-processor
- Current sub-processor list
Incident Response
- Documented response plan
- 72-hour notification to affected customers on confirmed incidents (aligns with GDPR and our MSA)
- Post-incident analysis + root-cause documentation
- Annual tabletop exercise of the response plan
Security Headers
We implement security headers to protect against common web vulnerabilities. These headers are set on all responses from our application.
Content-Security-PolicyNonce-based CSPPrevents XSS attacks by controlling which resources can be loaded. We use nonce-based CSP for strict inline script control.
Strict-Transport-Securitymax-age=31536000; includeSubDomainsForces HTTPS connections for one year, including all subdomains.
X-Content-Type-OptionsnosniffPrevents browsers from MIME-sniffing a response away from the declared content-type.
X-Frame-OptionsDENYPrevents the page from being embedded in frames, protecting against clickjacking attacks.
X-XSS-Protection1; mode=blockEnables the browser's built-in XSS filter (legacy browsers).
Referrer-Policystrict-origin-when-cross-originControls how much referrer information is included with requests.
Permissions-Policycamera=(), microphone=(), geolocation=()Restricts access to browser features we don't need, reducing attack surface.
Cross-Origin-Opener-Policysame-originIsolates the browsing context, protecting against cross-origin attacks.
Verification: You can verify these headers by inspecting the network tab in your browser's developer tools, or using tools like securityheaders.com.
Responsible Disclosure
We welcome security researchers to responsibly disclose vulnerabilities. We commit to working with you to understand and resolve issues quickly.
How to Report
- Email security@vertosai.com with details
- Include steps to reproduce the issue
- Provide your contact information
- Allow reasonable time for us to respond (typically 48h)
Our Commitment
- Acknowledge reports within 48 hours
- Provide status updates during investigation
- Credit researchers in acknowledgments (optional)
- No legal action for good-faith research
Note: We do not currently offer a paid bug bounty program, but we're happy to acknowledge researchers who help improve our security.
Need Security Documentation?
Enterprise customers can request security questionnaire responses, architecture documentation, and DPAs.