Security
Your portfolio data is sensitive. We treat it that way.
Vestix follows SOC 2-aligned security practices. This page describes the controls we have in place to protect your data and your tenants' information.
Encryption at Rest
All data is encrypted at rest using AES-256. Database volumes, file storage, and backups are encrypted. Encryption keys are managed separately from encrypted data.
Encryption in Transit
All traffic is served over TLS 1.2 or higher. HSTS headers are set with a two-year max-age and preload directive. No plaintext HTTP traffic is accepted.
Multi-Tenant Isolation
Every database query is scoped by tenant ID. There is no path by which one tenant's data can be accessed by another tenant, at any layer of the application.
Access Controls
Role-based access control within each tenant account: owner, admin, staff, maintenance, and viewer roles with distinct permission sets. Principle of least privilege is enforced throughout.
Infrastructure
Vestix is hosted on AWS. No direct database access is exposed to the public internet. All administrative access requires multi-factor authentication.
Vulnerability Management
Dependencies are monitored for known vulnerabilities. Security patches are applied on a rolling basis. The API is protected against OWASP Top 10 vulnerability classes.
Data Retention & Deletion
On account cancellation, data is retained for 30 days to allow export, then securely deleted. Tenant data is never sold or shared with third parties.
Payment Security
Vestix uses Stripe Connect for payment processing. We never store or transmit card numbers. PCI compliance is inherited from Stripe's infrastructure. Vestix never holds tenant funds.
Security questions or vulnerability reports?
If you have a security question or have identified a potential vulnerability, contact us directly at security@vestix.org. We take all reports seriously and respond promptly.