SECURITY

Your data security is our priority

We implement industry-standard security practices to protect your data and maintain your trust.

Encryption

All data encrypted at rest using AES-256 and in transit using TLS 1.3.

Compliance-Aligned

Architecture designed to align with SOC 2, GDPR, and CCPA requirements.

Access Controls

Role-based access controls with comprehensive audit logging.

Secure Infrastructure

Hosted on enterprise-grade cloud infrastructure with redundancy.

COMPLIANCE

Compliance alignment

Our infrastructure and processes are designed to align with major regulatory frameworks. We are transparent about our current status and certification roadmap.

GDPR

European data protection regulation

Aligned

Our data handling practices are designed to comply with GDPR requirements including data minimization, purpose limitation, and user rights.

CCPA

California Consumer Privacy Act

Aligned

We provide California residents with rights to know, delete, and opt-out of data sales (we do not sell personal data).

SOC 2 Type II

Security & availability controls

In Progress

Our infrastructure and processes are designed following SOC 2 principles. Formal certification is on our roadmap.

PCI DSS

Payment card data security

Via Stripe

We do not store payment card data. All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider.

Transparency note

We are committed to transparency about our security posture. While we implement industry-standard security controls and design our systems to comply with major frameworks, formal third-party certifications are part of our ongoing roadmap as we scale.

ARCHITECTURE

Secure by design

Vurrk is architected with security as a foundational principle. Sensitive operations stay server-side, APIs enforce authorization and validation, and all trust-critical actions are auditable.

No exposed credentials
Service keys and secrets remain server-side only.
Least-privilege access
Credentials are scoped to minimum required permissions.
Row-level security
Database policies enforce user-owned data access.
Immutable audit logs
Trust-critical actions are logged and cannot be altered.
REQUEST FLOW
Client → API → Database
Secure
1. Client Request
User action in browser
2. Authentication
JWT validation + session check
3. Authorization
RBAC + row-level policies
4. Validation
Input sanitization + rate limits
5. Data Access
Server-side only, scoped queries
6. Audit Log
Immutable record of action

Security practices

We follow industry best practices across all areas of our platform.

Data Protection

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Secure key management with rotation policies
  • Database-level row security enforcement

Access & Authentication

  • Multi-factor authentication available
  • Session management with secure tokens
  • Role-based access control (RBAC)
  • API key scoping and rotation

Infrastructure

  • Enterprise-grade cloud hosting
  • Geographic redundancy for critical data
  • Automated backups with point-in-time recovery
  • Network isolation and firewall protection

Monitoring & Response

  • Real-time security monitoring
  • Automated threat detection
  • Incident response procedures
  • Regular security assessments

Data protection

Your verified records are immutable by design — that's the foundation of trust. You maintain ownership of your data and can export it at any time.

100%
Data ownership
AES-256
Encryption at rest
TLS 1.3
Encryption in transit

Responsible disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly so we can address it promptly.

Email: security@vurrk.com

Response time: We aim to acknowledge reports within 24 hours

Please include: Description, steps to reproduce, potential impact

Security FAQs

Answers to common security and compliance questions.

Are you SOC 2 certified?
We are currently working toward SOC 2 Type II certification. Our infrastructure and processes are designed following SOC 2 principles for security, availability, and confidentiality. We expect to complete formal certification as we scale.
How do you handle GDPR compliance?
Our platform is designed with GDPR principles at its core: data minimization, purpose limitation, storage limitation, and respect for user rights. We provide data export, deletion requests (subject to verified record immutability), and transparent data processing.
Do you expose any database credentials in the frontend?
No. Production access is designed to keep all sensitive credentials server-side. The frontend communicates only through authenticated API endpoints and edge functions.
How do you protect data in transit and at rest?
Data in transit is protected using TLS 1.3. Data at rest is encrypted using AES-256. We enforce strict access controls and maintain audit logs for all security-sensitive actions.
Can clients verify records without creating an account?
Yes. Client confirmation flows use secure, time-limited tokens and do not require full account creation. This reduces friction while maintaining security.
How do you handle payment data?
We do not store payment card data on our servers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We only store transaction metadata and status.
Do you support audit trails?
Yes. All trust-critical actions (invoice creation, confirmations, disputes, escrow releases) are logged with timestamps, actor identification, and state transitions. These logs are immutable.
Can I restrict API access?
Yes. API keys can be scoped, rotated, and revoked. We recommend using least-privilege principles and rotating keys regularly.
Where is my data stored?
Data is stored on enterprise-grade cloud infrastructure. We use Supabase (backed by AWS) with data centers in regions that comply with applicable data protection requirements.
How can I report a security issue?
Please contact us immediately at security@vurrk.com or use the contact form with "Security" selected. We take all reports seriously and will respond promptly to coordinate remediation.

Have security questions?

Our team is available to discuss your specific security requirements.

Contact Us