Security

Security features that are implemented today.

Transport Security

Requests to the Vettly API are served over HTTPS. Exact TLS versions and cipher suites depend on the deployment environment and fronting provider.

Authentication

Dashboard authentication is handled via Clerk. Any MFA/SSO capabilities are governed by your Clerk configuration and plan.

API Keys

API keys are stored as SHA-256 hashes. Full keys are only shown once at creation and are not re-displayed via key listing endpoints.

Request Protections

The API includes rate limiting and usage quotas by tier, plus signed webhook delivery (HMAC-SHA256) for webhook endpoints.

Data Handling

Vettly supports configurable retention for decisions and evidence where those features are enabled for your account and deployment. If you have specific compliance requirements, contact us and we'll confirm what's available for your setup.

Vulnerability Reporting

If you believe you've found a vulnerability, please report it so we can investigate and fix it.

Please send vulnerability reports to:

[email protected]

Include reproduction steps, impact, and any relevant logs or screenshots.