The security your brand deserves.
Security isn’t something we bolt on. It shapes how we build, how we operate, and how we think about every feature we ship.
Last updated April 18, 2026
EU-only data
TLS 1.2+ / AES-256
Zero data breaches
72-hour GDPR notification
Enterprise-grade infrastructure, by default.
We run on providers that collectively serve hundreds of thousands of companies and bring physical, network, and operational security a small team could never build alone. Every change to how our services run is reviewed, version-controlled, and reproducible.
- Google Cloud Platform
- Application compute in europe-north1 (Finland). SOC 2 Type 2 and ISO/IEC 27001 certified.
- Vercel (EU edge)
- Frontend delivery across EU edge locations with enterprise security controls.
- Supabase (EU)
- Database and authentication hosted in an EU region, with published audit reports.
- Redis (EU)
- Cache layer hosted in an EU region, encrypted at rest and in transit.
Encrypted everywhere, visible to no one extra.
Customer data is encrypted in transit and at rest. Our codebase eliminates entire classes of common web vulnerabilities, and dependencies are monitored continuously.
- Encrypted in transit
- All network traffic to and from Videntic uses TLS 1.2 or higher, including calls to every third-party API.
- Encrypted at rest
- Database, file storage, cache, and backups are encrypted with AES-256, with keys managed by our cloud providers’ KMS.
- Payments never touch us
- Stripe handles card details end-to-end. We only ever see anonymous identifiers for customers and subscriptions.
- Passwords
- We don’t store passwords in any form we can read. Credentials are hashed by our identity provider using modern standards.
- Application security
- Strict input validation and parameterized database access prevent SQL injection, XSS, and open redirects. User input sent to AI is sanitized and normalized.
- Dependency monitoring
- Dependabot continuously monitors every repository for known vulnerabilities across our dependency tree.
A small, named group. Every one on MFA.
Only a small, named group of people can reach production systems at Videntic. We follow the principle of least privilege and separate customer data at the application and database level.
- MFA + SSO everywhere
- Every operator uses multi-factor authentication and single sign-on across cloud consoles, database, repository, payments, and internal dashboards.
- Two-person approval
- Any change to critical infrastructure requires an explicit second approval from our CTO or CEO.
- Least privilege
- Access is provisioned only to those who need it for their role, and only to the resources required.
- Offboarding checklist
- When someone leaves, all access is manually revoked across every system on their final day, following a written checklist.
- Tenant isolation
- Customer data is logically separated at the application and database level. One customer cannot reach another’s data.
Your data is not training data.
Our product uses AI extensively, so we know this is the question enterprise customers ask most often. Here’s how we handle it.
- No training on your data
- Foundation models are accessed through enterprise API tiers. By their terms, API inputs are not used for training. We do not fine-tune on customer data.
- Per-customer isolation
- Retrieval queries, conversation state, and vector embeddings are all scoped by customer identity. One customer’s AI cannot surface another’s data.
- Traceable by design
- Every AI interaction is recorded through our observability tooling with 30-day retention. Exactly what the AI did, when, and on what inputs.
We watch continuously. On-call, always.
Continuously monitored through Sentry (with PII filtering enabled), Google Cloud Logging, and provider-native dashboards. Alerts flow to an on-call rotation available around the clock.
Tested backups. Defined recovery objectives.
Our database is backed up automatically every day with 7-day rolling retention. Backups are AES-256 encrypted with point-in-time recovery, and we have tested restoring from backup.
- RTO: 1–4 hours
- Service restoration target after a major incident. Our Recovery Time Objective.
- RPO: max 24 hours
- Maximum data loss bounded by the daily backup interval. Our Recovery Point Objective.
- Auto-healing platform
- Auto-scales within its cloud region and recovers automatically from instance failures, health checks, and load distribution.
Detect. Contain. Notify. Learn.
No company can promise nothing will ever go wrong. What we can promise is how we respond when it does. To date, Videntic has experienced no data breaches.
Detect
Automated monitoring and alerting across the stack.
Escalate
A named priority chain of responders, available at any hour.
Contain
Isolate affected services without taking the whole system down.
Notify
Affected customers within 72 hours of any confirmed personal data breach, per GDPR Article 33.
Review
Documented post-mortem and a fix for the root cause.
Your data, your rights.
GDPR gives you specific, enforceable rights over the data we hold about you. We respond within 30 days, usually faster.
You have the right to access the data we hold (Art. 15), correct it (Art. 16), have us delete it (Art. 17), export it in a portable format (Art. 20), or object to specific uses (Art. 21). Email info@videntic.com to exercise any of them.
When you delete your account
We permanently erase the customer data we control: database records, file storage, AI conversation history, analytics. Data may persist briefly in encrypted backups (up to 7 days) before being rotated out. Data held by independent processors (e.g. Stripe) is retained under their own policies.
We’re not standing still.
Over the next 12–18 months we’re strengthening our formal security program and publishing more of our controls externally.
- Data Processing Agreements
- Standard DPAs with every subprocessor in our stack.
- Third-party penetration test
- An independent penetration test, commissioned externally.
- SOC 2 Type 2 attestation
- Pursuing formal Videntic attestation.
Found a security issue? Have a question?
Email info@videntic.com and you’ll get a response within 48 hours. We don’t pursue researchers who report issues in good faith.