Compliance Status
Data Encryption
At Rest
All data stored in Neon PostgreSQL is encrypted at rest using AES-256. Database volumes are encrypted by the underlying cloud provider with per-volume keys.
In Transit
All client-server and server-to-database communication uses TLS 1.2+. Connections without TLS are rejected. HTTP requests are redirected to HTTPS.
OAuth Tokens
Third-party OAuth tokens and API credentials are encrypted with AES-256-GCM before storage. Keys are never stored in plaintext.
Parameterized Queries
All database queries use parameterized statements. No raw string interpolation in SQL — eliminating SQL injection as an attack surface.
Infrastructure Security
Neon PostgreSQL
Managed serverless PostgreSQL with automatic backups, point-in-time recovery, and branch isolation. Data stored in SOC 2 Type II certified infrastructure.
Render Hosting
Application services run on Render's managed platform with automatic TLS provisioning, DDoS protection via Cloudflare, and network isolation between services.
Environment Isolation
Agent sandbox processes run with allowlist-only environment variable access. Production credentials are blocked from agent execution contexts by default.
Dependency Scanning
npm packages are pinned and reviewed. No runtime code execution from external sources. All dependencies evaluated before inclusion.
Access Controls & Audit Logging
Every screening action, report generation, and API call is recorded in immutable audit trail logs via the screening_audit table. Logs capture: actor, timestamp, action type, target entity, and outcome.
API keys are scoped and can be revoked individually without affecting other keys. Key last-use timestamps are recorded. Enterprise plans include SSO and granular seat-level access logs.
Session tokens expire on logout and are invalidated server-side. Rate limiting is applied per IP and per user on all authentication endpoints to prevent brute-force attacks.
Observability & Monitoring
Veridact runs OpenTelemetry-based distributed tracing across all application layers. Every request produces structured trace spans that flow into a centralized observability stack for real-time anomaly detection.
Application metrics, error rates, and latency are monitored continuously. Alerts trigger on error rate spikes, unusual API usage patterns, and authentication anomalies. Zero-log silent failures are not permitted — all error paths emit structured log events.
Data Retention & Deletion
Screening results and generated reports are retained for 7 years by default to satisfy regulatory record-keeping requirements under FinCEN and BSA. Customers may request shorter retention windows on Enterprise plans.
Account deletion triggers full data purge within 30 days, excluding data subject to regulatory hold. Personal data accessed via API is not cached beyond the immediate session.
Backup snapshots are retained for 30 days and then permanently deleted. Backups are encrypted with the same AES-256 keys as primary storage.
Security inquiries
Procurement reviews, pen-test requests, vendor questionnaires, or vulnerability disclosures — reach out directly.
sales@veridact.solutions