Direct access to production databases and servers is limited to authorized engineers via SSH key authentication.

Only authorized personnel can migrate changes to the production environment.

All production systems are accessed exclusively through encrypted connections. No unencrypted remote access paths exist.

Scan workers, databases, and application servers run on isolated network segments. Worker nodes cannot reach internal infrastructure.

Network firewalls restrict inbound and outbound traffic to only the ports and protocols required for operation. Access to firewall configuration is restricted to authorized personnel.

Application logs, access logs, and security events are aggregated centrally for monitoring and incident investigation.

Infrastructure monitoring generates alerts when predefined thresholds are met, enabling early detection of degradation or anomalies.

All public-facing endpoints are proxied through Cloudflare with DDoS mitigation and web application firewall rules enabled. And our own custom Anti-DDoS & WAF system as the main protector.

Infrastructure is patched as part of routine maintenance and in response to identified vulnerabilities.

All datastores containing customer data use AES-256 encryption at rest.

All data in transit uses TLS 1.2+ encryption. Internal service-to-service communication is also encrypted.

Access to encryption keys is restricted to authorized personnel with a business need.

Third-party dependencies are monitored for known vulnerabilities across all codebases.

Vulnerability scans are performed on external-facing systems. Critical and high vulnerabilities are tracked to remediation.

All code changes are reviewed before merging to production. All team members review each other's work.

Session tokens use httpOnly cookies. Credentials are never exposed to browser JavaScript or persisted in client-side storage.

All mutating API endpoints are protected by CSRF tokens. User input is validated and sanitized server-side before processing.

API endpoints enforce per-IP and per-account rate limits. Authentication endpoints have stricter limits to prevent brute-force attacks.

Passwords for in-scope system components are configured according to the company's password policy.

All AI provider contracts explicitly prohibit use of customer data for model training. Zero Data Retention is applied on select providers.

An automated system scrubs and redacts personally identifiable information and sensitive data before it reaches external services.

Primary databases and object storage are configured in EU regions. Customer data does not leave the EU for storage.

Customer data is retained only as long as needed for service delivery. Data is purged on account termination.

Customer data containing confidential information is purged from the application environment when customers leave the service.

A data classification policy is in place to ensure that confidential data is properly secured and restricted to authorized personnel.

Data Subject Access Requests are handled per GDPR Articles 15-22 with documented response timelines.

Error monitoring runs with PII scrubbing enabled. IP addresses and user-identifiable data are stripped before transmission.

A documented incident response runbook covers detection, containment, notification, and recovery procedures.

Security incidents are logged, tracked, resolved, and communicated to affected parties according to the incident response policy.

Database backups are encrypted and stored offline on cold storage, separate from production systems.

Changes to software and infrastructure are authorized, documented, tested, reviewed, and approved prior to production deployment.

Access reviews are conducted for in-scope system components to ensure access is restricted appropriately. Changes are tracked to completion.

Every third-party vendor processing data on Vexera's behalf operates under a signed Data Processing Agreement.

Information security policies and procedures are documented and reviewed at least annually.

The company performs background checks on all personnel, including founding team members.

All team members sign confidentiality agreements covering customer data and proprietary information.

All personnel review the company's security policies and responsibilities at least annually. Team members maintain active security expertise through ongoing professional practice.