Security
How we protect your data and maintain the security of our platform.
Last updated: January 30, 2025
Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Authentication
Secure auth via Supabase with session management and PKCE
Infrastructure
Hosted on enterprise-grade cloud infrastructure with SOC 2 compliance
Access Control
Row-level security policies ensuring data isolation between accounts
Monitoring
Continuous monitoring and alerting for suspicious activity
Incident Response
Documented incident response procedures with defined escalation paths
At Vetrics, security is foundational to everything we build. We understand that you're trusting us with valuable brand intelligence and competitive data. This page outlines our security practices and commitments.
Data Encryption
Encryption in Transit
All data transmitted between your browser and Vetrics is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. This applies to:
- All web traffic to vetrics.ai and app.vetrics.ai
- API communications
- Authentication flows
- Payment processing via Stripe
Encryption at Rest
All data stored in our databases and file storage is encrypted at rest using AES-256 encryption, an industry-standard algorithm used by governments and financial institutions worldwide.
Password Security
User passwords are never stored in plain text. We use bcrypt with appropriate cost factors for password hashing. Even our own team cannot view or recover your password.
Authentication & Access Control
Authentication System
Vetrics uses Supabase Auth, a secure, enterprise-grade authentication system that provides:
- Secure session management with automatic token refresh
- PKCE (Proof Key for Code Exchange) for OAuth flows
- Protection against session fixation and hijacking
- Secure password reset flows
Row-Level Security
Our database implements row-level security (RLS) policies that ensure:
- Users can only access data belonging to their account
- Team members can only access brands they've been granted access to
- Complete data isolation between different organizations
API Security
Our API endpoints are protected by:
- JWT-based authentication for all requests
- Rate limiting to prevent abuse
- Input validation and sanitization
- CORS policies restricting cross-origin requests
Infrastructure Security
Cloud Infrastructure
Vetrics is built on enterprise-grade cloud infrastructure:
- Supabase — Database and authentication (PostgreSQL on AWS)
- Vercel — Application hosting with automatic HTTPS and DDoS protection
- Stripe — PCI-DSS Level 1 certified payment processing
Our infrastructure providers maintain SOC 2 Type II compliance and undergo regular third-party security audits.
Network Security
Our infrastructure includes:
- DDoS protection at the edge
- Web Application Firewall (WAF) rules
- Automated threat detection and blocking
- Geo-blocking capabilities for compliance requirements
Data Handling
Data Minimization
We collect and retain only the data necessary to provide our services. We don't store sensitive data we don't need.
Third-Party Data Sharing
When we query AI platforms on your behalf (ChatGPT, Claude, Perplexity, etc.), we only send the prompts you've configured. We do not share your personal information, account details, or other brand data with AI providers.
Data Retention
Monitoring data is retained according to your subscription plan:
- Starter: 7 days of historical data
- Pro: 90 days of historical data
- Enterprise: Unlimited retention (configurable)
Upon account deletion, personal data is removed within 30 days.
Organizational Security
Access Management
Access to production systems is strictly limited:
- Principle of least privilege for all access
- No direct database access for most team members
- Audit logs for all administrative actions
- Regular access reviews
Incident Response
We maintain documented incident response procedures including:
- Defined severity levels and escalation paths
- Communication protocols for affected users
- Post-incident review and improvement processes
Compliance
Current Status
Enterprise Security
Enterprise customers may have additional security requirements. We offer:
- Security questionnaire responses
- Custom data processing agreements (DPAs)
- Data residency options
- Custom retention policies
- Dedicated security reviews
Vulnerability Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:
Report a Vulnerability
Email us at security@vetrics.ai
- We will acknowledge receipt within 48 hours
- We will work with you to understand and validate the issue
- We will keep you informed of our remediation progress
- We appreciate responsible disclosure
Contact
For security-related questions or concerns, contact us at:
Security: security@vetrics.ai
Privacy: privacy@vetrics.ai
Frequently Asked Questions
Is my data encrypted on Vetrics?
Yes. All data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256 encryption. Your passwords are hashed using industry-standard algorithms and never stored in plain text.
Where is Vetrics data stored?
Vetrics data is stored in secure cloud infrastructure provided by Supabase, with data centers in the United States and European Union. Enterprise customers can request specific data residency requirements.
How does Vetrics protect against unauthorized access?
We use multiple layers of protection: secure authentication via Supabase Auth, row-level security policies in our database, API rate limiting, and continuous monitoring for suspicious activity.
Is Vetrics SOC 2 compliant?
We are working toward SOC 2 Type II certification. Our infrastructure providers (Supabase, Stripe, Vercel) maintain SOC 2 compliance. Contact us for our current security documentation.
How can I report a security vulnerability?
Please report security vulnerabilities to security@vetrics.ai. We take all reports seriously and will respond within 48 hours. We appreciate responsible disclosure and will work with you to address any issues.