Security & Compliance

Enterprise-grade security built into every layer of our platform

VPC is built with a security-first architecture. We handle sensitive PII data with multiple layers of protection, from network isolation to application-level controls. Security is not a premium feature — it is our foundation.

Infrastructure Security

Network Isolation

  • Private subnets for database and application tiers
  • Public subnets for load balancers only
  • Network access controls and security groups for traffic filtering
  • No direct internet access to sensitive resources

Database Security

  • Encrypted at rest using managed encryption keys
  • Encrypted in transit with TLS 1.2+
  • Automated backups with point-in-time recovery
  • Deployed in private subnets, not publicly accessible

Container & Compute Security

  • Serverless container orchestration with automatic OS patching
  • Continuous container vulnerability scanning with automated deploy gating for critical and exploitable vulnerabilities
  • Runtime threat detection and monitoring on all production containers
  • Dependency scanning for application and OS-level vulnerabilities
  • Task-level access roles following least-privilege principles
  • Secrets management for API keys and credentials
  • Health checks and automatic failover

Load Balancer & Edge Security

  • CloudFront CDN with origin secret validation
  • WAF IP allowlist for development environments
  • TLS/SSL termination with managed certificates
  • HTTPS-only enforcement with HSTS preload (1-year max-age, includeSubDomains)
  • DDoS protection at the network edge

Application Security

Authentication & Authorization

  • Multi-factor authentication: TOTP, WebAuthn/Passkeys, recovery codes
  • MFA enforced for all staff accounts
  • Brute force protection with automatic lockout
  • HttpOnly, Secure, SameSite cookies
  • CSRF protection on all forms

Web Security Headers

  • Nonce-based Content Security Policy (CSP) — no unsafe-inline
  • HSTS with preload (1-year max-age, includeSubDomains)
  • Clickjacking protection (X-Frame-Options)
  • MIME sniffing prevention
  • Referrer policy controls

Input Validation

  • File upload validation: size, type, and MIME checking
  • Rate limiting on file uploads (10/hour per user, 20/hour per IP)
  • XSS prevention through input sanitization
  • Path traversal protection on filenames
  • Parameterized queries to prevent SQL injection

Monitoring & Logging

  • Structured audit trail: 9+ sensitive operations logged with user, IP, timestamp, and action
  • Failed login tracking and security alerts
  • Infrastructure monitoring and uptime tracking
  • Error tracking and performance monitoring

Data Security & Privacy

Encryption

  • In transit: TLS 1.2+ for all connections (HTTPS, database, API)
  • At rest: AES-256-GCM authenticated encryption for uploaded files
  • Per-tenant encryption keys for uploaded files
  • ElastiCache with TLS encryption in transit
  • Secrets management for API keys and credentials

Data Retention & Minimization

  • Uploaded files are encrypted immediately and deleted after processing begins
  • PII fields are cleared from processing tables after results are generated
  • Only breach match results and aggregated summaries are retained
  • Raw PII is never stored long-term

Multi-Tenant Isolation

  • Per-tenant database schemas for complete data separation
  • Per-project tables within each tenant
  • Per-tenant encryption keys
  • Role-based access with tenant, company, and project permissions

Compliance & Standards

Active

Data Minimization

Files deleted after processing. PII cleared from tables. Only breach results retained.

Active

Secure Authentication

Argon2 password hashing, MFA (TOTP + WebAuthn/Passkeys), brute-force lockout, session timeouts.

Active

OWASP Top 10 Aligned

Security controls aligned with the OWASP Top 10 2021 framework including CSP, input validation, and dependency scanning.

Planned

SOC 2 Type II

Independent audit of security, availability, and confidentiality controls.

Active

Penetration Testing

Pen test in progress (March 2026). Security hardening completed across infrastructure, application, and containers.

Active

HSTS Preload

HTTP Strict Transport Security with preload list inclusion for all domains.

Active

Container Scanning

Continuous container vulnerability scanning with automated deploy gating. Runtime threat monitoring on all production workloads.

Incident Response

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. Please report security issues to our security team. We commit to acknowledging reports within 48 hours and providing fixes within 30 days for critical issues.

Breach Notification

In the event of a data breach affecting customer data, we will notify affected customers within 72 hours and provide a description of the incident, types of data affected, mitigation steps taken, and recommended actions.

Continuous Monitoring

All production systems are continuously monitored for security threats, vulnerable dependencies, and anomalous behavior. Our team is automatically alerted when issues are detected.

Best Practices for Users

Enable Multi-Factor Authentication

Set up TOTP or register a Passkey (Face ID, Touch ID, Windows Hello) in your account settings for an additional layer of protection.

Use Strong Passwords

Use a minimum of 12 characters with a mix of upper/lowercase letters, numbers, and symbols.

Review Account Activity

Regularly check your account activity for any suspicious actions or unauthorized access.

Always Use HTTPS

Access VPC only via HTTPS. We set HSTS headers so your browser automatically upgrades to a secure connection.

Security Contact

For security-related inquiries, vulnerability reports, or compliance questions, contact our team.

security@validatepiiclasses.com