Van-Vert
Back to home

Authority

Security

Last updated · May 12, 2026

Section 01

Infrastructure

Van-Vert runs on Google Cloud Platform in the EU-West region. All compute, storage and networking are provisioned within a dedicated VPC with no public internet exposure except through our edge load balancers.

Infrastructure is defined as code and deployed through a CI/CD pipeline with mandatory peer review. Production access requires multi-factor authentication and is restricted to a small on-call engineering team.

Section 02

Encryption

All data in transit is protected by TLS 1.3. All data at rest — including uploaded documents, database records and backups — is encrypted with AES-256 using keys managed by Google Cloud KMS.

Document uploads are encrypted client-side before transmission and stored in a dedicated, access-controlled storage bucket. Decryption keys are never exposed to application code at runtime.

Section 03

Access control

The platform enforces role-based access control at every layer. Pilots see only their own applications. Reviewers see only applications assigned to them. Admins and head admins have progressively broader access, with all actions recorded in an immutable audit log.

Internal staff access to production data requires VPN, hardware security key, and manager approval via a just-in-time access system with automatic expiry.

Section 04

Audits & certifications

Van-Vert holds a current SOC 2 Type II report covering Security, Availability and Confidentiality. We engage an independent third-party penetration testing firm on a quarterly basis, and run a continuous bug bounty program for critical-severity findings.

Audit reports and penetration test summaries are available under NDA. Contact security@vanvert.co.

Section 05

Incident response

We maintain a documented incident response plan with defined severity levels, escalation paths and communication timelines. Critical incidents trigger a response within 15 minutes. Affected users are notified within 72 hours as required by GDPR, or sooner when possible.

Post-incident reviews are published internally and shared with affected customers on request.

Section 06

Vulnerability disclosure

If you discover a security vulnerability in Van-Vert, please report it to security@vanvert.co. We operate a coordinated disclosure program and acknowledge reports within 24 hours.

We ask that you give us reasonable time to investigate and fix the issue before public disclosure. We do not pursue legal action against researchers acting in good faith.