Security & Privacy

At Vectly, we take the security and privacy of your data seriously. This guide explains our security measures, privacy practices, and how we protect your information throughout the platform.

Security Overview

Our Security Commitment

• Enterprise-grade protection for all user data
• End-to-end encryption for data transmission
• Zero-knowledge architecture for sensitive information
• Regular security audits and updates
• Compliance with industry standards

Security Features

• Multi-factor authentication (coming soon)
• Encrypted data storage
• Secure API endpoints
• Session management
• Access logging

Data Protection

Encryption

In Transit

• TLS 1.3 for all connections
• Certificate pinning for API calls
• Encrypted websockets for real-time features
• No plain text transmission

At Rest

• AES-256 encryption for sensitive data
• Encrypted database storage
• Secure file storage with access controls
• Backup encryption for disaster recovery

Access Control

Authentication

• Secure password requirements
  • Minimum 8 characters
  • Complexity requirements
  • No common passwords
  • Regular change prompts
• OAuth Integration
  • Google authentication
  • GitHub authentication
  • No password storage
  • Token-based access

Authorization

• Row-level security in database
• User isolation for all data
• Project-based permissions
• API key scoping (coming soon)

Infrastructure Security

Hosting

• Cloud infrastructure with security certifications
• Geographic redundancy for availability
• DDoS protection at network level
• Regular security patching

Database

• Supabase/PostgreSQL with RLS
• Automated backups with encryption
• Point-in-time recovery capabilities
• Access audit logs

Privacy Practices

Data Collection

What We Collect

• Account Information
  • Email address
  • Name (optional)
  • Authentication tokens
  • Usage preferences
• Usage Data
  • Chat conversations
  • Uploaded documents
  • Project metadata
  • Feature usage
• Technical Data
  • IP addresses (security only)
  • Browser information
  • Error logs
  • Performance metrics

What We DON'T Collect

• Passwords (hashed only)
• Payment card details (via Stripe)
• Personal files outside uploads
• Browsing history
• Location data

Data Usage

How We Use Your Data

1. Service Delivery
   • Process AI requests
   • Store conversations
   • Manage projects
   • Enable features
2. Service Improvement
   • Fix bugs
   • Improve performance
   • Develop features
   • Enhance security
3. Communication
   • Account notifications
   • Security alerts
   • Product updates
   • Support responses

How We DON'T Use Your Data

• ❌ Train AI models on your content
• ❌ Sell to third parties
• ❌ Share without consent
• ❌ Use for advertising
• ❌ Profile for marketing

Third-Party Services

AI Providers

When you use AI models:

• Content sent to provider APIs
• Providers: OpenAI, Anthropic, Cohere
• Each has own privacy policy
• No long-term storage by providers
• No training on your data

Payment Processing

• Stripe handles all payments
• We never see card numbers
• PCI compliant processing
• Secure checkout flow
• Tokenized transactions

Analytics (Minimal)

• Basic usage metrics only
• No personal data tracking
• Aggregate statistics
• Performance monitoring
• Error tracking

User Rights

Your Privacy Rights

Access Your Data

• Download conversation history
• Export project files
• View account information
• Request usage logs
• Get transaction records

Control Your Data

• Edit personal information
• Delete conversations
• Remove projects
• Clear upload history
• Manage preferences

Data Portability

• Export in standard formats
• Machine-readable data
• Complete history available
• No vendor lock-in
• Easy migration

Right to Deletion

• Delete account anytime
• Remove all personal data
• Clear conversation history
• Permanent deletion option
• 30-day recovery period

Data Retention

Active Accounts

• Conversations kept indefinitely
• Files stored while needed
• Logs retained 90 days
• Backups kept 30 days
• You control deletion

Inactive Accounts

• Reminder after 6 months
• Archived after 12 months
• Deletion after 18 months
• Recovery possible
• Export before deletion

After Deletion

• 30-day grace period
• Then permanent removal
• Backups purged
• Anonymized analytics retained
• Legal holds respected

Security Best Practices

For Your Account

Strong Authentication

1. Use strong passwords
   • Unique to Vectly
   • Complex combination
   • Password manager recommended
   • Regular updates
2. Enable 2FA (when available)
   • Extra security layer
   • Protects against breaches
   • Multiple options
   • Backup codes

Safe Usage

• Don't share credentials
• Log out on public devices
• Monitor account activity
• Report suspicious behavior
• Keep email secure

For Your Data

Sensitive Information

• Avoid uploading:
  • Personal identification
  • Financial records
  • Medical information
  • Passwords/keys
  • Confidential data

Safe Sharing

• Use project permissions wisely
• Review before sharing chats
• Anonymize sensitive data
• Control GitHub access
• Audit regularly

API Security (Coming Soon)

Key Management

• Rotate keys regularly
• Use environment variables
• Limit key permissions
• Monitor usage
• Revoke unused keys

Safe Integration

• Use HTTPS only
• Validate responses
• Handle errors gracefully
• Log security events
• Update regularly

Compliance

Standards We Follow

Industry Standards

• SOC 2 principles
• ISO 27001 guidelines
• NIST framework
• OWASP best practices

Regulatory Compliance

• GDPR (EU users)
• CCPA (California users)
• PIPEDA (Canadian users)
• Data protection laws

Audits and Certifications

Regular Audits

• Annual security audits
• Penetration testing
• Vulnerability scanning
• Code reviews
• Compliance checks

Transparency

• Security updates published
• Incident notifications
• Compliance documentation
• Regular communications

Incident Response

Security Incident Handling

Detection

• 24/7 monitoring
• Automated alerts
• Anomaly detection
• User reports
• Regular scans

Response Process

1. Immediate containment
2. Impact assessment
3. User notification (if affected)
4. Remediation steps
5. Post-incident review

User Notification

• Clear explanation
• Impact assessment
• Protective measures
• Support contact

Reporting Security Issues

Responsible Disclosure

Email: [email protected]

Include:

• Description of issue
• Steps to reproduce
• Potential impact
• Your contact info

We respond within 48 hours.

Bug Bounty

• Rewards for valid findings
• Clear scope and rules
• Fast response times
• Public acknowledgment

Data Locations

Primary Storage

• United States: Main infrastructure
• Multi-region: Backups and redundancy
• CDN: Global content delivery
• No data sales: Ever

Data Residency

• Transparent about locations
• Compliance with local laws
• User choice (enterprise)
• Clear documentation

Future Enhancements

Coming Security Features

• Multi-factor authentication
• SSO integration
• Advanced audit logs

Summary

Our Promises

✅ Your data is encrypted and secure ✅ We never train AI on your content ✅ You maintain full control ✅ Transparent practices ✅ Regular security updates

Your Responsibilities

✅ Use strong passwords ✅ Don't share credentials ✅ Avoid uploading sensitive data ✅ Report security concerns ✅ Keep software updated

Contact

For security and privacy questions:

Security Issues: [email protected]Privacy Concerns: [email protected]General Support: [email protected]

We take all concerns seriously and respond promptly to ensure your data remains secure and private.