Security

Security & Compliance

How we protect your data

Security is foundational to the Vane Loop platform. We implement defense-in-depth controls spanning infrastructure, application, data, and organizational layers.

Data Encryption

Encryption at Rest

  • AES-256 encryption for all data stored in databases and file systems
  • Encrypted database backups with separate key management
  • Encrypted AI model artifacts and configuration data

Encryption in Transit

  • TLS 1.2 or higher for all client-server communications
  • TLS 1.3 preferred where supported
  • HSTS (HTTP Strict Transport Security) enabled
  • Perfect Forward Secrecy (PFS) cipher suites

Access Control

Authentication

  • Multi-factor authentication (MFA) required for all administrative access
  • MFA optional for end users, recommended for Pro and above
  • Secure session management with automatic timeout
  • Protection against brute-force attacks via rate limiting

Authorization

  • Role-Based Access Control (RBAC) with principle of least privilege
  • Granular permissions per subscription tier and user role
  • Logical data isolation between customer accounts
  • Separate production and development environments

Infrastructure Security

Network Protection

  • Cloud-based firewalls with restrictive inbound rules
  • Intrusion Detection Systems (IDS) and monitoring
  • DDoS protection at the CDN and application layers
  • Private networking for internal service communication

Platform Security

  • Regular security patching and updates
  • Automated vulnerability scanning
  • Container security scanning for Docker images
  • Infrastructure as Code (IaC) with security policy enforcement

Application Security

Secure Development

  • Secure Software Development Lifecycle (SSDLC)
  • Code review process with security checkpoints
  • Static Application Security Testing (SAST)
  • Dependency vulnerability scanning
  • Security-focused linting and automated checks

Runtime Protection

  • Protection against OWASP Top 10 vulnerabilities
  • Input validation and sanitization
  • CSRF (Cross-Site Request Forgery) protection
  • XSS (Cross-Site Scripting) prevention
  • SQL injection prevention via parameterized queries
  • Content Security Policy (CSP) headers

Data Protection

Data Lifecycle Management

  • Secure data deletion with cryptographic erasure
  • Automated retention policy enforcement
  • Data minimization: collect only what's needed
  • Anonymization and pseudonymization for benchmarks

Backup and Recovery

  • Daily automated backups with encryption
  • Point-in-time recovery capability
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour
  • Regular backup restoration testing

Monitoring and Incident Response

Security Monitoring

  • 24/7 automated security monitoring and alerting
  • Centralized logging with tamper-proof audit trails
  • Anomaly detection for unusual access patterns
  • Failed authentication attempt monitoring

Incident Response

  • Documented incident response plan
  • Defined escalation procedures
  • Data breach notification within 72 hours (GDPR requirement)
  • Post-incident review and remediation process

Organizational Security

Personnel Security

  • Background checks for employees with data access
  • Mandatory security awareness training
  • Confidentiality agreements (NDAs)
  • Regular security refresher training
  • Immediate access revocation upon employee departure

Vendor Management

  • Security assessment of all sub-processors
  • Contractual data protection obligations
  • Regular vendor security reviews
  • Documented sub-processor list (see Sub-Processors)

Compliance and Certifications

Regulatory Compliance

  • GDPR (EU General Data Protection Regulation)
  • CCPA/CPRA (California Consumer Privacy Act)
  • Delaware DPDPA (Delaware Personal Data Privacy Act)
  • U.S. state privacy laws (Virginia, Colorado, Connecticut, etc.)
  • EU AI Act (Regulation (EU) 2024/1689) - Limited-risk AI classification

Standards and Frameworks

  • Alignment with ISO/IEC 27001 controls
  • SOC 2 Type II readiness (certification in progress)
  • OWASP Application Security Verification Standard (ASVS)
  • NIST Cybersecurity Framework alignment

Penetration Testing

  • Annual third-party penetration testing
  • Quarterly internal security assessments
  • Responsible disclosure program for security researchers
  • Timely remediation of identified vulnerabilities

Business Continuity

  • Documented business continuity plan (BCP)
  • Disaster recovery procedures
  • Geographic redundancy for critical systems
  • Regular BCP testing and updates

Responsible Disclosure

Security researchers: if you discover a security vulnerability, please report it responsibly to:

Email: security@vaneloop.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Suggested remediation (if applicable)

We commit to:

  • Acknowledge receipt within 48 hours
  • Provide regular status updates
  • Credit researchers (with permission) for valid findings
  • Not pursue legal action for good-faith security research

Questions?

For security-related questions or to report a concern:
Email: security@vaneloop.com

For privacy and data protection matters:
Email: privacy@vaneloop.com

For general legal inquiries:
Email: legal@vaneloop.com