Trust

Security at Vyntro AI

Defence-in-depth from the database to the browser. Built on managed cloud infrastructure, audited regularly, and aligned with Pakistan PECA 2016 and GDPR.

Encryption everywhere

TLS 1.2+ for every request in transit. AES-256 at rest for the database, file storage, and backups. Keys rotated on a fixed schedule.

Row-Level Security

Every table enforces Postgres RLS policies. A user can only read or write their own rows — checked by the database, not just the app.

Hashed credentials

Passwords are salted and hashed using industry-standard algorithms (bcrypt / argon2). Plaintext passwords never touch our servers or logs.

Fraud & abuse detection

Risk-scored payment submissions, duplicate-receipt detection, hourly credit caps, and automatic account suspension on anomalous usage.

Audit logs

Every admin action — approvals, rejections, suspensions, content edits — is recorded with actor, target, IP, and timestamp.

AI isolation

Your prompts are forwarded to model providers (OpenAI, Google, Anthropic) under their data-processing terms. Outputs are stored in your account only.

Hardened infrastructure

Edge-deployed compute, managed Postgres on isolated instances, automated daily backups with point-in-time recovery.

Compliance-aligned

Aligned with Pakistan PECA 2016, GDPR (EU), and CCPA (California). Data Processing Addendum available on request.

Least-privilege access

Only on-call engineers can access production, gated by 2FA and time-bound credentials. All access is logged.

Data portability & deletion

Export your account data or delete it permanently from Account Settings. Verified deletion within 30 days, subject to legal retention.

Breach notification

If a breach affects your data, we notify the relevant authority within 72 hours and inform affected users without undue delay.

Vulnerability disclosure

Report a security issue to security@vyntro.ai. We acknowledge within 24 hours and remediate critical issues on priority.

Our security model

Vyntro AI is a multi-tenant platform where each user's data must remain strictly isolated. We achieve this through three independent layers — network, application, and database — so that a failure in any single layer does not compromise customer data.

1. Network layer

  • All traffic is served over HTTPS with TLS 1.2 or higher. HTTP requests are redirected.
  • HSTS is enforced so browsers refuse to downgrade to insecure connections.
  • Strict Content-Security-Policy and standard security headers (X-Frame-Options, Referrer-Policy, Permissions-Policy) limit cross-site exposure.
  • Rate limiting and bot protection on authentication, payment, and AI endpoints.

2. Application layer

  • Authentication via Supabase Auth — email/password with strong-password requirements and Google OAuth.
  • Server-side authorisation on every protected route. Client-side checks are treated as UX only.
  • Input validation with Zod on every server function and API route. Hard length limits on every text field.
  • Per-user rate-limit buckets in the database for AI generations and payment submissions.
  • Atomic credit debits and refunds via database functions to prevent race conditions.

3. Database layer

  • Postgres Row-Level Security (RLS) on every user-data table. Policies are reviewed on every schema change.
  • Roles are stored in a dedicated user_roles table and checked through a SECURITY DEFINER function — never trusted from client input.
  • Service-role keys are only used from server-side code paths that have already validated the caller.
  • Daily encrypted backups with 7-day point-in-time recovery.

Payment integrity

  • Payment proofs are uploaded to a private storage bucket. Only the submitting user and admins can read them.
  • Each submission is risk-scored on the server: duplicate transaction IDs, duplicate file hashes, amount mismatches, and very new accounts all increase the score.
  • Submissions over a configurable risk threshold are flagged for manual review.
  • Hourly per-account credit-spend caps automatically suspend an account on suspected fraud and notify the user.

AI model providers

We forward your prompts and attachments to the model provider you selected (Google, OpenAI, or Anthropic). Each provider processes your input under their own data-processing terms and our enterprise agreements with them. Your prompts and outputs are not used to train third-party models. We retain a copy of your prompts and outputs in your account so you can revisit them; you can delete them at any time.

Vulnerability disclosure

If you discover a security vulnerability, please report it privately to security@vyntro.ai with reproduction steps. Do not publicly disclose the issue until we have had a reasonable opportunity to remediate. We acknowledge reports within 24 hours, target critical fixes within 7 days, and credit researchers on request.

Incident response

  • An on-call engineer is paged within minutes of a Sev-1 incident.
  • If a personal-data breach occurs that is likely to risk your rights and freedoms, we notify the relevant supervisory authority within 72 hours and affected users without undue delay.
  • A post-incident report is published to /status for transparency.

SOC 2 roadmap

We're working toward SOC 2 Type II attestation. Current progress:

  • Q1 — Security policies, access reviews, and asset inventory completed. Internal control framework documented.
  • Q2 — Vendor risk assessments, employee security training, and incident-response runbooks formalised.
  • Q3 (in progress) — Type I readiness assessment with an independent auditor. SIEM and centralised logging deployment.
  • Q4 (planned) — Type II observation window begins. Quarterly access reviews, penetration test, and tabletop exercises.
  • Next year — Type II report available to enterprise customers under NDA. ISO 27001 readiness assessment kicks off.

For SOC 2 questions, security questionnaires, or to request our current security overview, email security@vyntro.ai.

Bug bounty

Vyntro AI operates a private bug bounty for verified security researchers. Eligible reports include authentication bypass, IDOR / privilege escalation, RCE, SQL injection, stored XSS in authenticated contexts, and payment-flow fraud. Out of scope: missing security headers without demonstrable impact, self-XSS, rate-limit bypasses without account takeover, and social-engineering. Send a detailed reproduction (steps, payloads, screenshots) to security@vyntro.ai with the subject line [BOUNTY]. We acknowledge within 24 hours; rewards are issued for valid, original reports once a fix has shipped.

Compliance & data residency

  • Aligned with Pakistan's Prevention of Electronic Crimes Act 2016 (PECA), the EU GDPR, and CCPA / CPRA.
  • Cloud infrastructure providers are SOC 2 Type II and ISO 27001 certified.
  • Data Processing Addendum (DPA) and Standard Contractual Clauses (SCCs) available on request to legal@vyntro.ai.

Contact