API keys are never stored in plaintext. We store only a SHA-256 hash of each key. Once generated, the full key is shown once and never retrievable — not even by Vaultak staff.
Data Encryption
All data is encrypted in transit using TLS 1.2+. Database connections use SSL. Sensitive fields are never logged.
Data Isolation
Every organization's data is fully isolated. All database queries are scoped to your organization ID — it is impossible to access another organization's agents, actions, or alerts.
Infrastructure
Hosting
Vaultak runs on Railway (backend) and Vercel (dashboard), both SOC 2 Type II certified providers. Database is hosted on Railway's managed PostgreSQL with automated backups.
Rate Limiting
All API endpoints are rate limited to 100 requests per 60 seconds per API key. Exceeding this limit returns a 429 response with a Retry-After header.
Authentication
User authentication is handled by Clerk, a SOC 2 Type II certified identity provider. Vaultak never stores passwords. API keys use prefix-based identification with hash verification.
Compliance
SOC 2 — In Progress
SOC 2 Type II
Vaultak is currently working toward SOC 2 Type II certification. We follow SOC 2 security principles including access controls, encryption, monitoring, and incident response procedures.
GDPR
Vaultak processes only the data necessary to provide the service. Users can request deletion of their data at any time by contacting security@vaultak.com.
Responsible Disclosure
Vulnerability Reporting
If you discover a security vulnerability in Vaultak, please report it to security@vaultak.com. We will respond within 48 hours and work with you to resolve the issue responsibly. We do not pursue legal action against researchers who act in good faith.
Security Contact
For security inquiries, vulnerability reports, or compliance documentation requests, contact our security team directly.