Security is foundational to VylintShield. We protect your assessment data, generated documents, and portal access with industry-standard controls aligned with NIST CSF and common compliance frameworks. VylintShield is not itself certified under SOC 2, ISO 27001, or any other compliance framework at this time.
🔒 We have never experienced a data breach. We run continuous vulnerability scanning and maintain a responsible disclosure program.
Security Architecture
Encryption
TLS 1.3 in transit; AES-256-GCM at rest (AWS KMS). Database encryption with customer-managed keys option for Business plan.
Access Control
Email + unique access code authentication. Session-based with 30-min idle timeout. Optional MFA for Business plan. Role-based access (Admin/Viewer).
Network Security
AWS VPC with private subnets. WAF + Shield Advanced. Security groups least-privilege. DDoS protection. VPC flow logs.
Application Security
SAST/DAST in CI/CD. Dependency scanning (Dependabot). CSP, HSTS, X-Frame-Options. Input validation, parameterized queries. No eval/innerHTML.
Monitoring & Logging
Centralized CloudWatch logs. GuardDuty threat detection. Alerting on anomalies. Audit trail for all portal actions (1 yr retention).
Incident Response
NIST 800-61 aligned IR plan. 24/7 on-call rotation. <4 hr initial response target. Customer notification within 72 hrs of confirmed breach.
Compliance & Certifications
| Standard | Status | Scope |
|---|---|---|
| SOC 2 Type II | Controls aligned (not certified) | Security, Availability, Confidentiality |
| ISO 27001 | Controls aligned (not certified) | ISMS framework |
| NIST CSF | Implemented | Identify, Protect, Detect, Respond, Recover |
| HIPAA | BAA Available | PHI handling for healthcare customers |
| PCI DSS | SAQ A (Stripe) | No card data stored |
Data Protection
| Control | Implementation |
|---|---|
| Data Classification | Public, Internal, Confidential, Restricted (per ISO 27001) |
| Backup & Recovery | Daily encrypted backups, cross-region replication, RPO < 24 hr, RTO < 4 hr |
| Data Retention | Configurable per customer (default: 2 yr post-contract). Secure deletion on request. |
| Privacy by Design | Minimization, purpose limitation. DPIA for new features. |
| Third-Party Risk | Vendor security reviews. DPAs with subprocessors (Stripe, AWS, Anthropic). |
Vulnerability Management
- Scanning: Weekly automated (Trivy, Snyk). Monthly manual pen test (internal). Annual third-party (Bishop Fox / similar).
- SLA: Critical < 24 hrs, High < 7 days, Medium < 30 days, Low < 90 days.
- Responsible Disclosure: security@vylintshield.com — PGP key on request. Safe harbor guaranteed.
Supply Chain Security
- All dependencies pinned with integrity hashes (npm/yarn lockfiles)
- SLSA Level 2 build pipeline (GitHub Actions + Sigstore cosign)
- SBOM generated per release (CycloneDX)
- Vendor security reviews annually (Stripe, AWS, Anthropic, Vercel)
Physical & Personnel Security
- AWS data centers (SOC 1/2/3, ISO 27001, FedRAMP)
- Background checks for all employees/contractors
- Mandatory security training (annual + onboarding)
- Need-to-know access; quarterly access reviews
- Hardware encryption (FileVault / BitLocker), MDM on all devices
Reporting a Security Issue
We take all reports seriously. Email security@vylintshield.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact info (for coordination)
We acknowledge within 24 hours and provide status updates every 72 hours until resolved.
Security Contact
- General: security@vylintshield.com
- Incidents: incidents@vylintshield.com (24/7)
- PGP Key: /legal/security-pgp.txt