Legal

Security Overview

Last updated: May 25, 2026Effective: May 25, 2026

This page is the public-facing summary of how VYRA Data secures the Insights SaaS, the marketing site, customer data, and OAuth connections to third-party platforms. It supplements the formal commitments in the Data Processing Agreement and the customer-rights protections in the Privacy Policy.

Report a security issue by emailing support@vyradata.com with the subject “Security Disclosure.” See §8 for the disclosure process.

1. Infrastructure

  • Application hosting: Amazon Web Services (AWS), region us-east-2 (Ohio). Multi-AZ deployment for the database and core services.
  • Ancillary services: Hostinger VPS for limited workloads where AWS pricing is uneconomical.
  • Edge: Cloudflare for DNS, CDN, WAF, and DDoS mitigation in front of all public endpoints.
  • Email: Resend for transactional and operational email. SPF, DKIM, and DMARC enforced on all sending domains.
  • Payments: Stripe handles all card processing. VYRA Data does not store full card numbers.

2. Encryption

  • In transit: TLS 1.3 with modern cipher suites on all public endpoints. HSTS enforced.
  • At rest — OAuth tokens and credentials: AES-256-GCM with keys managed in AWS KMS. Keys are rotated on a defined schedule.
  • At rest — database: AES-256 on the underlying storage volumes (AWS RDS encryption).
  • Backups: AES-256 encrypted backups with separate KMS keys.
  • Passwords: Argon2id hashing. Passwords are never stored or logged in plaintext.

3. Authentication and access

  • Customer accounts: Email + password with TOTP MFA available to all users and required for administrator roles. Single sign-on (SAML/OIDC) on the roadmap for enterprise plans.
  • Role-based access control: Owner, administrator, member, viewer. Permissions are scoped per organization.
  • Staff access: Least-privilege model. Production database access is restricted to a small named group, gated by MFA, and audited.
  • Session management: Short-lived sessions with secure, HttpOnly, SameSite cookies. Sign-out invalidates the session server-side.

4. Audit logging

The following events are logged with timestamp, actor, IP, and outcome:

  • Sign-in attempts (success and failure).
  • Password changes, MFA enrollment and reset.
  • Permission and role changes.
  • Data exports (Settings → Export).
  • OAuth connect and disconnect events.
  • Administrator actions on customer data.

Logs are retained for 13 months (see Privacy §10) and are available to customers on request. Email support@vyradata.com with the subject “Privacy Inquiry” for accounts you administer.

5. Backups and recovery

  • Daily full backups, encrypted, retained for 35 days.
  • Point-in-time recovery (PITR) covering the most recent 7 days.
  • Restore drills tested at least quarterly on a non-production environment.
  • Recovery objectives: RPO 24 hours, RTO 4 hours for a region-level event.

6. Vulnerability management

  • Dependency scanning runs on every pull request and weekly across all repos.
  • Static analysis (semgrep/ESLint security rules) in CI.
  • Container image scanning before deployment.
  • Quarterly internal review of high/critical findings.
  • Annual third-party penetration test against the production application and infrastructure.

7. Incident response

VYRA Data maintains a documented incident-response runbook with named on-call responders and an internal severity matrix. For Personal Data Breaches affecting customer data, we will notify affected customers and (where applicable) regulators within the timeframes set out in Privacy §17 and the DPA §8.

Post-incident reviews are written for every Sev-1 incident, with corrective actions tracked to completion.

8. Vulnerability disclosure

Coordinated, good-faith security research is welcomed. To report a vulnerability:

  • Email support@vyradata.com with the subject “Security Disclosure” and include a description, reproduction steps, and expected impact.
  • We will acknowledge within 3 business days.
  • Do not access or download other users' data, run automated scans against production beyond what is required to demonstrate the issue, or exploit the vulnerability further.
  • We will not pursue legal action against researchers who follow this policy in good faith.

A formal bug-bounty program is on the roadmap and will be linked here when launched.

9. Compliance and certifications

  • SOC 2 Type II: in progress. Anticipated initial audit window: 2026. Updates posted here.
  • PIPEDA / GDPR / UK GDPR / CCPA / Quebec Law 25: ongoing compliance. Customer rights and contact paths in the Privacy Policy.
  • AWS, Cloudflare, Stripe, Resend: rely on their published certifications (SOC 2, ISO 27001, PCI DSS) for the underlying infrastructure layer they provide.

Customers with security questionnaires can email support@vyradata.com with the subject “Security Disclosure.” Responses typically returned within 5 business days.