Security at Core

Security isn't an afterthought—it's the foundation of our platform. We implement defense-in-depth strategies to protect your data at every layer.

Request Compliance Docs

SOC 2 Type II

In Progress

GDPR

Compliant

CCPA

Compliant

HIPAA

Planned

Defense in Depth

Security Measures

Comprehensive protection at every layer of the stack.

Encryption at Rest & Transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL certificates.

  • AES-256 encryption
  • TLS 1.3
  • SSL database connections
  • Encrypted backups

SOC 2 Type II (In Progress)

We are working toward SOC 2 Type II certification with an independent auditor. Contact us for current status.

  • Audit in progress
  • Trust Service Criteria
  • Status available on request
  • Targeting 2026 completion

Infrastructure Security

Deployed on Google Cloud Platform with VPC isolation, WAF protection, and DDoS mitigation.

  • GCP infrastructure
  • VPC isolation
  • Cloud Armor WAF
  • Auto-scaling protection

Security Monitoring

Automated infrastructure monitoring with alerting and incident response procedures.

  • Automated monitoring
  • Alert pipelines
  • Incident response plan
  • Log aggregation

Security Testing

Continuous automated vulnerability scanning and dependency auditing across all services.

  • Penetration testing planned
  • Automated scanning
  • Dependency auditing
  • Bug bounty coming soon

Access Control

Strict access controls with MFA, principle of least privilege, and comprehensive audit logging.

  • MFA required
  • SSO integration
  • Role-based access
  • Privileged access management

Internal Practices

Organizational Security

All employees complete security awareness training
Encrypted laptops with endpoint protection
Zero-trust network architecture
Secure software development lifecycle (SDLC)
Regular security reviews and threat modeling
Dependency auditing and automated scanning

Data Processing

We process customer data only as necessary to provide our services. Your data is never used for training AI models or shared with third parties.

  • No data used for AI training
  • Minimal data collection
  • Right to deletion (GDPR/CCPA)

Data Retention

We retain data only as long as necessary to provide services. You can request deletion of your data at any time.

  • Automated data purging
  • 90-day log retention (configurable)
  • Self-service data export

Responsible Disclosure

If you believe you've found a security vulnerability in VAIF Studio, please report it to us immediately. We investigate all reports and respond within 24 hours. We do not pursue legal action against good-faith security researchers.

security@vaif.studio

PGP key available upon request