Vezraa is built on the assumption that someone is always trying to get in. Here's how we keep your data safe, what we've verified, and how to reach us if you find a vulnerability.
Controls in production
For full detail of our technical and organizational measures (as required for SCC Annex II), see Annex 2 of our Data Processing Addendum.
TLS 1.2+ on every public endpoint with HSTS preload submission. Encryption at rest on the primary Postgres database and on cached scan artifacts. OAuth tokens stored encrypted at rest.
Vezraa API keys are stored only as one-way hashes. The plaintext is shown to you exactly once at creation. Lose it, rotate it. We never see it again either.
Role-based access controls and least-privilege principles for staff and machine accounts. Multi-factor authentication enforced on all administrative consoles, the code host, and every cloud provider.
Production and non-production environments are isolated. Restrictive firewall and security-group rules at the database and queue layer. Secrets live in encrypted secret managers — never in source code.
Audit logs on database mutations and on access to scan-related secrets. Structured request and error logs. Sentry tracks errors and performance regressions in real time.
Pull-request review by another engineer on every change. Pre-deploy CI runs typecheck, lint, and unit tests. Staged rollout via Vercel preview deployments before production.
Dependency scanning runs on every CI build. Periodic vulnerability assessment of our own platform. Security review on every high-risk change.
Every subprocessor is reviewed before onboarding and on a recurring schedule. Data-processing agreements with each. SCCs and the UK Addendum where required.
Compliance & certifications
We process personal data under documented legal bases. Standard Contractual Clauses + UK Addendum in place with all relevant subprocessors. India DPDP Act compliance program active.
We do not sell or share personal data. We honor all access, deletion, correction, and portability requests under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, FDBR, and equivalent laws.
All card processing is delegated to Razorpay, which is PCI DSS Level 1 compliant. We never see, log, or store full card numbers, CVCs, or bank-account details.
We are working toward SOC 2 Type II. Reach out to udayakirantumma@gmail.com if you need a security questionnaire or letter of intent in the meantime.
ISO 27001 certification is on the roadmap behind SOC 2. We'll publish the timeline as it firms up.
Found something?
We welcome reports from the security community. If you believe you've found a vulnerability in Vezraa, here's how to share it with us safely.
We commit to not pursuing legal action against researchers acting in good faith and within the rules above. If you're unsure whether something is in scope, ask before testing.
Researchers who've helped us improve Vezraa will be listed here with their permission. The list is currently empty because the Service is new — be the first.
Our standard Data Processing Addendum auto-applies to every paid customer. For a signed countersigned version, a SIG-Lite or CAIQ response, or a vendor-onboarding questionnaire, email us and we'll turn it around within five business days.