Security at Core

Security isn't an afterthought—it's the foundation of our platform. We implement defense-in-depth strategies to protect your data at every layer.

View Compliance Documents

Self-Serve Trust Center

Compliance Documents

Download the documents your procurement and security teams need to complete vendor review.

Data Processing Addendum

Read DPA

GDPR Article 28 DPA with Standard Contractual Clauses for international transfers.

Sub-processors

View list

Current list of all third-party sub-processors handling customer data.

CAIQ-Lite Questionnaire

Download

Cloud Security Alliance v4.0 self-attestation covering 30+ control areas.

System Status & Uptime

View status

Real-time service status, incident history, and uptime SLA.

Need our SOC 2 Type 1 report (Q3 2026) or a deeper security review? Contact our team.

SOC 2 Type 1

Audit Underway

GDPR

Compliant

CCPA

Compliant

HIPAA

Roadmap

Defense in Depth

Security Measures

Comprehensive protection at every layer of the stack.

Encryption at Rest & Transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL certificates.

  • AES-256 encryption
  • TLS 1.3
  • SSL database connections
  • Encrypted backups

SOC 2 Type 1 — Audit Underway

SOC 2 Type 1 audit is currently in progress with an independent CPA firm; report targeted for Q3 2026. Type 2 observation window planned to begin once Type 1 is issued.

  • Type 1 audit in progress
  • Independent CPA firm engaged
  • Trust Service Criteria mapped
  • Type 2 window starts after Type 1

Infrastructure Security

Deployed on hardened, audited cloud infrastructure with private network isolation, WAF protection, and DDoS mitigation.

  • Private network isolation
  • Web Application Firewall
  • DDoS mitigation
  • Auto-scaling protection

Security Monitoring

Automated infrastructure monitoring with alerting and incident response procedures.

  • Automated monitoring
  • Alert pipelines
  • Incident response plan
  • Log aggregation

Security Testing

Continuous automated vulnerability scanning and dependency auditing across all services. Annual third-party penetration testing scheduled for Q3 2026; public bug bounty program planned for Q4 2026.

  • Continuous automated scanning
  • Dependency auditing
  • Third-party pentest Q3 2026
  • Public bug bounty Q4 2026

Access Control

Strict access controls with MFA, principle of least privilege, and comprehensive audit logging.

  • MFA required
  • SSO/SAML on Agency, Studio+, Enterprise
  • Role-based access
  • Privileged access management

Internal Practices

Organizational Security

All employees complete security awareness training
Encrypted laptops with endpoint protection
Zero-trust network architecture
Secure software development lifecycle (SDLC)
Regular security reviews and threat modeling
Dependency auditing and automated scanning

Data Processing

We process customer data only as necessary to provide our services. Your data is never used for training AI models or shared with third parties.

  • No data used for AI training
  • Minimal data collection
  • Right to deletion (GDPR/CCPA)

Data Retention

We retain data only as long as necessary to provide services. You can request deletion of your data at any time.

  • Automated data purging
  • 90-day log retention (configurable)
  • Self-service data export

Responsible Disclosure

If you believe you've found a security vulnerability in VAIF Studio, please report it to us immediately. We investigate all reports and respond within 24 hours. We do not pursue legal action against good-faith security researchers.

security@vaif.studio

PGP key available upon request