Skip to content
Trust center

We scan apps for a living.
We hold ourselves to the same standard.

Vezraa is built on the assumption that someone is always trying to get in. Here's how we keep your data safe, what we've verified, and how to reach us if you find a vulnerability.

Controls in production

How we protect your data

For full detail of our technical and organizational measures (as required for SCC Annex II), see Annex 2 of our Data Processing Addendum.

Encryption everywhere

TLS 1.2+ on every public endpoint with HSTS preload submission. Encryption at rest on the primary Postgres database and on cached scan artifacts. OAuth tokens stored encrypted at rest.

API keys hashed, never stored in plaintext

Vezraa API keys are stored only as one-way hashes. The plaintext is shown to you exactly once at creation. Lose it, rotate it. We never see it again either.

Least privilege & MFA

Role-based access controls and least-privilege principles for staff and machine accounts. Multi-factor authentication enforced on all administrative consoles, the code host, and every cloud provider.

Network segregation

Production and non-production environments are isolated. Restrictive firewall and security-group rules at the database and queue layer. Secrets live in encrypted secret managers — never in source code.

Audit logging

Audit logs on database mutations and on access to scan-related secrets. Structured request and error logs. Sentry tracks errors and performance regressions in real time.

Hardened SDLC

Pull-request review by another engineer on every change. Pre-deploy CI runs typecheck, lint, and unit tests. Staged rollout via Vercel preview deployments before production.

Continuous vulnerability management

Dependency scanning runs on every CI build. Periodic vulnerability assessment of our own platform. Security review on every high-risk change.

Vendor risk review

Every subprocessor is reviewed before onboarding and on a recurring schedule. Data-processing agreements with each. SCCs and the UK Addendum where required.

Compliance & certifications

What we've verified

GDPR / UK GDPR / DPDP Act

Live

We process personal data under documented legal bases. Standard Contractual Clauses + UK Addendum in place with all relevant subprocessors. India DPDP Act compliance program active.

CCPA / CPRA + 17 US state privacy laws

Live

We do not sell or share personal data. We honor all access, deletion, correction, and portability requests under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, FDBR, and equivalent laws.

Razorpay (PCI DSS Level 1)

Live

All card processing is delegated to Razorpay, which is PCI DSS Level 1 compliant. We never see, log, or store full card numbers, CVCs, or bank-account details.

SOC 2 Type II

In progress

We are working toward SOC 2 Type II. Reach out to udayakirantumma@gmail.com if you need a security questionnaire or letter of intent in the meantime.

ISO 27001

Planned

ISO 27001 certification is on the roadmap behind SOC 2. We'll publish the timeline as it firms up.

Found something?

Coordinated disclosure policy

We welcome reports from the security community. If you believe you've found a vulnerability in Vezraa, here's how to share it with us safely.

In scope

  • · vezraa.com and all subdomains
  • · Our public APIs (api.vezraa.com, /api/*)
  • · The Vezraa MCP server
  • · Our CLI and GitHub Action
  • · The Vezraa Razorpay checkout flow (without making real charges)

Please don't

  • · Run automated scans against our infrastructure
  • · Attempt denial-of-service or resource exhaustion
  • · Pivot from a finding into other customer accounts
  • · Publicly disclose before we've had a chance to fix
  • · Phish or socially engineer Vezraa staff

How to report

  1. Email udayakirantumma@gmail.com with a clear description, reproduction steps, and any supporting screenshots or proof-of-concept code.
  2. We will acknowledge receipt within two (2) business days and give you a status update within seven (7) days.
  3. We'll work with you on remediation timelines. Critical issues are typically fixed within thirty (30) days.
  4. With your permission, we'll credit you in our changelog when the fix ships. We don't currently run a paid bug-bounty program, but we're happy to send swag and a public thank-you.

We commit to not pursuing legal action against researchers acting in good faith and within the rules above. If you're unsure whether something is in scope, ask before testing.

Hall of fame

Researchers who've helped us improve Vezraa will be listed here with their permission. The list is currently empty because the Service is new — be the first.

Need a DPA, security questionnaire, or vendor review?

Our standard Data Processing Addendum auto-applies to every paid customer. For a signed countersigned version, a SIG-Lite or CAIQ response, or a vendor-onboarding questionnaire, email us and we'll turn it around within five business days.

Request review
Security | Vezraa