🔒Trust & Compliance

Security is in our DNA.

OsVault is built with the same security rigor we help you enforce. Explore our architecture, compliance posture, and data handling practices.

Architecture Overview

Zero Trust Data Pipeline

Our Rust-based ingestion engine runs in isolated, stateless containers. It fetches data from NVD, OSV, EPSS, and CISA KEV without storing credentials on disk.

🌐

Edge-First Deployment

All web traffic is served through Vercel's global edge network with automatic SSL, DDoS mitigation, and geographic routing for sub-100ms response times.

🐙

Isolated GitHub App

The GitHub App is deployed as a separate, sandboxed service. It requests minimal permissions (read-only code access) and processes PR data entirely in memory.

🗄️

Encrypted Database

All vulnerability data and customer metadata is stored in Supabase (PostgreSQL on AWS) with AES-256 encryption at rest and TLS 1.3 in transit.

Security Controls

A detailed breakdown of every security control across OsVault's infrastructure, data handling, and access management layers.

Data Security

Encryption at restAES-256 via Supabase managed encryption
Active
Encryption in transitTLS 1.3 enforced on all endpoints
Active
Database isolationRow-Level Security (RLS) enforced per organization
Active
Secret managementEnvironment variables via Vercel encrypted storage
Active

Access Control

SSO / SAMLEnterprise plan — Okta, Azure AD, Google Workspace
Available
Role-Based Access ControlAdmin, Security Engineer, Viewer roles
Available
API key rotationAutomatic 90-day rotation with zero-downtime
Active
MFA enforcementQ3 2026 — TOTP and WebAuthn support
Roadmap

Audit & Compliance

Audit logsImmutable, append-only logs for all dashboard actions
Available
SOC 2 Type IIAudit in progress — estimated Q4 2026
Roadmap
ISO 27001Certification planned post-SOC 2 completion
Roadmap
GDPR complianceEU data processing, DPA available on request
Active

Infrastructure

Hosting providerVercel Edge Network — SOC 2 Type II certified
Active
Database providerSupabase (AWS) — SOC 2 Type II certified
Active
DDoS protectionVercel Edge + Upstash rate limiting
Active
Uptime SLA99.9% guaranteed for Enterprise plans
Available

Data Handling

What We Access

  • PR diff content (dependency file changes only)
  • Repository file tree (for reachability analysis)
  • GitHub organization metadata

What We Never Store

  • Source code — analyzed in-memory, never persisted
  • Personal access tokens — we use GitHub App JWTs
  • Passwords or secrets from your codebase

Retention Policy

  • Scan results: 90 days (configurable on Enterprise)
  • Audit logs: 1 year (immutable)
  • Vulnerability data: Updated daily, never deleted

Need more details?

Request our full security questionnaire, DPA, or schedule a call with our security team.

Contact Security Team