Security

How Is Data Encrypted?

All data stored and transmitted by Vacalion is protected using industry-standard encryption. We apply encryption at multiple layers to ensure your financial information is never exposed in plaintext.

Encryption keys are managed using a dedicated Key Management Service (KMS) with automatic rotation policies. No plaintext keys are stored alongside the data they protect.

How Is the Network Secured?

Our network architecture is designed with defense-in-depth principles to prevent unauthorised access and limit the blast radius of any potential incident:

• All production infrastructure is hosted in isolated Virtual Private Clouds (VPCs) with strict inbound and outbound firewall rules
• Public-facing endpoints sit behind a Web Application Firewall (WAF) that filters OWASP Top 10 threats, including SQL injection and cross-site scripting
• DDoS protection is applied at the network edge via our CDN and cloud provider's native mitigation services
• Internal services communicate only over encrypted private subnets; no internal service is directly internet-accessible
• Network segmentation separates payment processing, AI workloads, and user data environments
• All API endpoints enforce rate limiting and IP-based throttling to prevent abuse

Where Is Data Hosted?

Vacalion's primary infrastructure runs on leading cloud providers (Amazon Web Services and Google Cloud Platform), both of which maintain ISO 27001, SOC 2, and PCI DSS Level 1 certifications at the infrastructure level.

• Primary datastores are hosted in the United States (us-east-1) with automated cross-region replication for disaster recovery
• European user data is processed within EU data centres where required by GDPR data residency obligations
• All cloud provider relationships are governed by Data Processing Agreements (DPAs) complying with applicable privacy regulations
• Object storage (S3-compatible) containing uploaded documents uses server-side AES-256 encryption with customer-managed keys

How Do You Build Secure Software?

Security is integrated into every stage of our software development lifecycle (SDLC):

• Threat modelling is conducted during the design phase for any new feature that handles personal or financial data
• Code reviews require at least one security-focused reviewer for pull requests touching authentication, payments, or data access logic
• Static Application Security Testing (SAST) runs automatically on every pull request via our CI/CD pipeline
• Dependency scanning checks for known CVEs in all third-party libraries on every build; critical vulnerabilities block deployment
• Secret detection prevents hardcoded credentials from entering the codebase
• Security training is mandatory for all engineers, covering OWASP Top 10 and secure coding practices

How Do You Track and Fix Vulnerabilities?

We maintain a formal vulnerability management programme that covers our entire technology stack:

• Automated dependency scanners run daily and raise tickets for newly discovered CVEs
• Critical and high-severity vulnerabilities are patched within 24 hours of confirmation
• Medium-severity vulnerabilities are addressed within 7 days; low-severity within 30 days
• A private bug bounty programme rewards external researchers for responsibly disclosing valid security issues
• All security findings are tracked in a centralised issue tracker with mandatory SLA enforcement

Do You Conduct Penetration Tests?

Yes. We engage independent, certified security firms to perform penetration testing on a regular basis:

• Full-scope web application and API penetration tests are conducted at minimum annually by CREST-certified or equivalent testers
• Network infrastructure tests are conducted semi-annually
• Any critical or high findings are remediated and verified before the next scheduled release
• Penetration test summary reports are available to enterprise customers under NDA upon request

Who Can Access My Data?

Access to customer data within Vacalion follows strict least-privilege principles:

• Access is granted on a need-to-know basis and reviewed quarterly by engineering and security leads
• Production database access is restricted to a small set of senior engineers; all access is logged and audited
• Customer support staff can access only the account metadata necessary to resolve a support ticket — they cannot see raw financial data or payment credentials
• All internal access to production systems requires a VPN connection combined with multi-factor authentication
• Privileged access management (PAM) tools enforce just-in-time access for administrative operations; standing access to production is prohibited

How Do You Protect User Accounts?

We implement multiple layers of protection to keep your Vacalion account secure:

• Passwords are hashed using bcrypt with a high work factor; we never store plaintext passwords
• Multi-factor authentication (MFA) is available and strongly recommended for all accounts; it is mandatory for accounts with elevated permissions
• Session tokens are cryptographically secure, short-lived, and invalidated on logout or password change
• Suspicious login detection flags logins from new locations or devices and requires additional verification
• Rate limiting and account lockout protect against brute-force attacks on login and password reset endpoints
• OAuth 2.0 with PKCE is used for all third-party integrations; tokens are scoped to minimum required permissions

How Do You Secure Employee Access?

Our internal security programme for employees covers the full employment lifecycle:

• All employees undergo background screening before being granted access to production systems
• Security awareness training and phishing simulations are conducted quarterly
• All company-issued devices are enrolled in a mobile device management (MDM) system with full-disk encryption enforced
• Endpoint detection and response (EDR) software monitors all company devices for anomalous activity
• Access credentials are revoked within one hour of an employee leaving the company

How Do You Detect Threats in Real Time?

Our security operations are built around continuous, automated monitoring across all systems:

• All API requests, authentication events, and administrative actions are logged to an immutable, centralised SIEM (Security Information and Event Management) system
• Automated alerting fires on patterns associated with credential stuffing, account takeover, unusual data access, and privilege escalation
• Our FraudGuard engine monitors all financial transactions in real time for behavioural anomalies and known fraud patterns
• Uptime and performance monitoring provide 24/7 visibility into service health, with automated incident creation on degradation
• Log retention is maintained for a minimum of 12 months to support forensic investigations

What Happens If There Is a Security Incident?

We maintain a formal Incident Response Plan that is tested via annual tabletop exercises:

• Detection: automated alerts or external reports trigger an incident; an on-call responder is paged immediately
• Containment: affected systems are isolated to prevent lateral movement within minutes of confirmation
• Eradication: the root cause is identified and eliminated before systems are restored
• Notification: where a breach affects personal data, we notify affected users and the relevant supervisory authority within 72 hours as required by applicable law (GDPR Art. 33)
• Post-mortem: every incident results in a written post-mortem with root cause analysis and corrective actions, shared internally and, where relevant, with affected customers

What Is Your Disaster Recovery Capability?

We maintain active business continuity and disaster recovery (BCP/DR) programmes to ensure Service availability:

• All critical databases are replicated in real time across at least two geographically separate availability zones
• Recovery Time Objective (RTO): 4 hours for complete regional failure
• Recovery Point Objective (RPO): 1 hour for transactional data
• Full system backups are performed daily and tested for restorability monthly
• Failover procedures are documented and tested at minimum annually

Are You PCI DSS Compliant?

Payment card data handled through Vacalion is processed exclusively by Stripe, a PCI DSS Level 1 certified service provider — the highest level of compliance available. Vacalion never stores, processes, or transmits raw card numbers. Our integration with Stripe uses tokenisation to ensure card data never passes through our servers.

Our PCI DSS scope is the minimal possible: we use Stripe Elements and Stripe.js to capture payment details directly in the browser, keeping Vacalion's systems entirely out of the card data environment (CDE).

Are You SOC 2 Certified?

We are in the process of completing our SOC 2 Type II audit, covering the Trust Service Criteria for Security, Availability, and Confidentiality. Enterprise customers may request our current SOC 2 bridge letter and our anticipated audit completion timeline by contacting security@vacalion.com.

Our cloud infrastructure providers (AWS, Google Cloud) each maintain their own SOC 2 Type II certifications, copies of which are available on their respective compliance portals.

Which Third Parties Process My Data?

We maintain a current sub-processor list covering all third parties that access or process personal data on our behalf. Key sub-processors include:

All sub-processors are bound by Data Processing Agreements and are required to maintain security standards at least equivalent to those described in this page.

How Do I Report a Security Vulnerability?

We take all security reports seriously and run a responsible disclosure programme. If you discover a potential vulnerability in our systems or applications, please follow these steps:

1. Email security@vacalion.com with a clear description of the vulnerability, steps to reproduce, and the potential impact
2. Do not publicly disclose the vulnerability before we have had an opportunity to investigate and remediate
3. Do not attempt to access, modify, or exfiltrate data beyond what is needed to demonstrate the issue
4. Do not perform denial-of-service testing or social engineering against our staff

We commit to acknowledging all valid reports within 2 business days, providing a remediation timeline within 7 business days, and notifying you when the fix has been deployed. We do not pursue legal action against researchers who follow these guidelines.

How Do I Reach Your Security Team?

For any security questions, enterprise security reviews, or penetration test report requests, please contact us: