Security

The security your brand deserves.

Security isn't something we bolt on. It shapes how we build, how we operate, and how we think about every feature we ship.

Last updated April 18, 2026

Region

EU-only data

Encryption

TLS 1.2+ / AES-256

Record

Zero data breaches

Response

72-hour GDPR notification

01Infrastructure & Hosting

Enterprise-grade infrastructure, by default.

We run on providers that collectively serve hundreds of thousands of companies and bring physical, network, and operational security a small team could never build alone. Every change to how our services run is reviewed, version-controlled, and reproducible.

Google Cloud Platform
Application compute in europe-north1 (Finland). SOC 2 Type 2 and ISO/IEC 27001 certified.
Vercel (EU edge)
Frontend delivery across EU edge locations with enterprise security controls.
Supabase (EU)
Database and authentication hosted in an EU region, with published audit reports.
Redis (EU)
Cache layer hosted in an EU region, encrypted at rest and in transit.
02Data Protection

Encrypted everywhere, visible to no one extra.

Customer data is encrypted in transit and at rest. Our codebase eliminates entire classes of common web vulnerabilities, and dependencies are monitored continuously.

Encrypted in transit
All network traffic to and from Videntic uses TLS 1.2 or higher, including calls to every third-party API.
Encrypted at rest
Database, file storage, cache, and backups are encrypted with AES-256, with keys managed by our cloud providers' KMS.
Payments never touch us
Stripe handles card details end-to-end. We only ever see anonymous identifiers for customers and subscriptions.
Passwords
We don't store passwords in any form we can read. Credentials are hashed by our identity provider using modern standards.
Application security
Strict input validation and parameterized database access prevent SQL injection, XSS, and open redirects. User input sent to AI is sanitized and normalized.
Dependency monitoring
Dependabot continuously monitors every repository for known vulnerabilities across our dependency tree.
03Access Control

A small, named group. Every one on MFA.

Only a small, named group of people can reach production systems at Videntic. We follow the principle of least privilege and separate customer data at the application and database level.

MFA + SSO everywhere
Every operator uses multi-factor authentication and single sign-on across cloud consoles, database, repository, payments, and internal dashboards.
Two-person approval
Any change to critical infrastructure requires an explicit second approval from our CTO or CEO.
Least privilege
Access is provisioned only to those who need it for their role, and only to the resources required.
Offboarding checklist
When someone leaves, all access is manually revoked across every system on their final day, following a written checklist.
Tenant isolation
Customer data is logically separated at the application and database level. One customer cannot reach another's data.
04AI and Your Data

Your data is not training data.

Our product uses AI extensively, so we know this is the question enterprise customers ask most often. Here's how we handle it.

No training on your data
Foundation models are accessed through enterprise API tiers. By their terms, API inputs are not used for training. We do not fine-tune on customer data.
Per-customer isolation
Retrieval queries, conversation state, and vector embeddings are all scoped by customer identity. One customer's AI cannot surface another's data.
Traceable by design
Every AI interaction is recorded through our observability tooling with 30-day retention. Exactly what the AI did, when, and on what inputs.
05Monitoring & Logging

We watch continuously. On-call, always.

Continuously monitored through Sentry (with PII filtering enabled), Google Cloud Logging, and provider-native dashboards. Alerts flow to an on-call rotation available around the clock.

Retention
Application errors90 days
Infrastructure logs30 days
AI agent traces30 days
Database backups7 days, rolling
06Business Continuity

Tested backups. Defined recovery objectives.

Our database is backed up automatically every day with 7-day rolling retention. Backups are AES-256 encrypted with point-in-time recovery, and we have tested restoring from backup.

RTO: 1–4 hours
Service restoration target after a major incident. Our Recovery Time Objective.
RPO: max 24 hours
Maximum data loss bounded by the daily backup interval. Our Recovery Point Objective.
Auto-healing platform
Auto-scales within its cloud region and recovers automatically from instance failures, health checks, and load distribution.
07Incident Response

Detect. Contain. Notify. Learn.

No company can promise nothing will ever go wrong. What we can promise is how we respond when it does. To date, Videntic has experienced no data breaches.

1
Detect
Automated monitoring and alerting across the stack.
2
Escalate
A named priority chain of responders, available at any hour.
3
Contain
Isolate affected services without taking the whole system down.
4
Notify
Affected customers within 72 hours of any confirmed personal data breach, per GDPR Article 33.
5
Review
Documented post-mortem and a fix for the root cause.
08Your Rights & Data Handling

Your data, your rights.

GDPR gives you specific, enforceable rights over the data we hold about you. We respond within 30 days, usually faster.

You have the right to access the data we hold (Art. 15), correct it (Art. 16), have us delete it (Art. 17), export it in a portable format (Art. 20), or object to specific uses (Art. 21). Email [email protected] to exercise any of them.

When you delete your account
We permanently erase the customer data we control: database records, file storage, AI conversation history, analytics. Data may persist briefly in encrypted backups (up to 7 days) before being rotated out. Data held by independent processors (e.g. Stripe) is retained under their own policies.
09Where We're Going

We're not standing still.

Over the next 12–18 months we're strengthening our formal security program and publishing more of our controls externally.

Data Processing Agreements
Standard DPAs with every subprocessor in our stack.
Third-party penetration test
An independent penetration test, commissioned externally.
SOC 2 Type 2 attestation
Pursuing formal Videntic attestation.

Found a security issue? Have a question?

Email [email protected] and you'll get a response within 48 hours. We don't pursue researchers who report issues in good faith.

Videntic

Automated GEO-optimization for brands.

Features

Sira AI Agent

Analytics

Optimization

Blog Manager

Resources

Docs

Blog

Changelog

Security

Company

About

Pricing

Privacy Policy

Terms of Service

© 2026 Videntic. All rights reserved.

Built for AI search.

Videntic

Automated GEO-optimization for brands.

Features

Sira AI Agent

Analytics

Optimization

Blog Manager

Resources

Docs

Blog

Changelog

Security

Company

About

Pricing

Privacy Policy

Terms of Service

© 2026 Videntic. All rights reserved.

Built for AI search.

Videntic

Automated GEO-optimization for brands.

Features

Sira AI Agent

Analytics

Optimization

Blog Manager

Resources

Docs

Blog

Changelog

Security

Company

About

Pricing

Privacy Policy

Terms of Service

© 2026 Videntic. All rights reserved.

Built for AI search.