Trust Center
Security, privacy and responsible AI — on the record.
Vestval is built to be a serious vendor. The pages below document the trust posture we hold ourselves to — and that enterprise customers can hold us to.
Security
Defense-in-depth across application, infrastructure and operations. Encryption in transit and at rest, hardened identity, least-privilege everywhere.
Data Privacy
We treat customer and end-user data as a liability to be minimized. Data residency, retention and access scopes are first-class design decisions.
Responsible AI
Provenance, human override, evaluations and guardrails — AI features ship with the same rigor as financial systems.
Business Continuity
Backup strategy, recovery objectives, failure injection and tested runbooks. Continuity is engineered, not assumed.
Support Model
Tiered support with named senior contacts for enterprise engagements. Escalation paths that actually escalate.
SLA Philosophy
We sign realistic SLAs we intend to meet. Availability, response and remediation targets, written and measured.
NDA-Friendly Engagement
Mutual NDAs, IP assignments, DPAs and MSAs as standard paper. Confidential engagements remain confidential — by design and contract.
Enterprise Readiness
Vendor onboarding, security questionnaires, audit support and reference architectures available on request.
Documentation
Available on request.
Most enterprise diligence packets are available under mutual NDA. Reach out to start the process.
- Information security policy
- Data processing addendum (DPA)
- Sub-processor list
- BC/DR overview
- Penetration test summary
- Secure SDLC summary
- Responsible AI policy
- Vendor onboarding pack
FAQ
Trust & enterprise FAQs
- Yes. We deploy to AWS, GCP and Azure regions of your choice and contract residency commitments in writing.
Responsible AI
How we ship AI features safely.
Evaluation gates
Every model-backed feature ships with an offline evaluation suite. Releases require pass thresholds on accuracy, refusal and harmful-output checks.
Provenance
Inputs, prompts, model identifier and version are logged with each AI decision. Outputs are reproducible and auditable on request.
Human override
Consequential decisions surface confidence and provide a one-click human override path. We do not deploy unattended AI in finance, HR or safety contexts.
Data minimization
Customer data is never sent to third-party LLMs without an explicit DPA. PII redaction and scope reduction happen pre-prompt by default.
Model selection discipline
We document why a model was chosen, what alternatives were tested and the cost/performance trade-off. No silent upgrades in production.
Red-team review
High-impact features go through an internal adversarial review before launch. Findings are tracked and remediated.
Data handling
Customer data — minimized, scoped, deletable.
- • Encryption at rest (AES-256) and in transit (TLS 1.2+).
- • Role-based access; production access is least-privilege and audited.
- • Customer-controlled retention windows. Deletion is hard-delete by default, not soft-delete.
- • Sub-processors are listed publicly under NDA and customers are notified before material changes.
- • Customer data is never used to train shared models or third-party services.
- • Regional deployment options across AWS / GCP / Azure to meet residency requirements.
- • Documented data flow diagrams for each productized platform.
- • Backups encrypted, geo-isolated, periodically restore-tested.
- • PII handling reviewed against GDPR / DPDP / CCPA principles.
- • Data subject request (DSR) workflow operated by named accountable contact.
Support model
Tiered, named, accountable.
Standard
Email and ticketing during business hours. Target first-response: 1 business day. Suitable for staging and non-critical workloads.
Business
Email + chat with named account engineer. P1 response within 4 business hours; weekly status review.
Enterprise
Named senior engineer, 24×7 P1 paging, signed SLA, quarterly architecture review and escalation path to leadership.
Responsible disclosure
Found a security issue? Tell us first.
We welcome coordinated disclosure from security researchers and customers. Email hello@vestval.com with subject [security] and a clear reproduction. We acknowledge within 2 business days, validate within 5, and coordinate fix and disclosure timelines with you. We will not pursue legal action against researchers who act in good faith, stay within scope and avoid privacy or service degradation.
- In-scope: Vestval-operated production properties and productized platforms under your contract.
- Out-of-scope: third-party services, social engineering of staff, denial-of-service.
- Please do not access, modify or exfiltrate data that isn't yours.
Privacy commitments
What we will and won't do with your data.
- We will only use customer data to operate, secure and improve the service you contracted for.
- We will notify you of material changes to sub-processors, data flows or retention.
- We will honor data subject requests within applicable statutory windows.
- We will not sell, rent or trade customer data — ever.
- We will not use customer data to train cross-customer or third-party models without written consent.
- We will not claim certifications we don't hold. As we obtain SOC 2 / ISO 27001 audits, they will be listed here with audit body and date.
See also: Privacy Policy, Security overview, Terms of Service.
Trust library
Every commitment, documented.
Security
How Vestval protects systems and data across products and engagements.
Explore
Privacy
Our approach to personal data: minimize, protect and respect.
Explore
Responsible AI
How accountability and transparency govern AI across the Vestval ecosystem.
Explore
Data handling
The lifecycle of data inside Vestval systems, from collection to deletion.
Explore
Support
How to reach us for security, privacy and operational support.
Explore
Responsible disclosure
How to report a security vulnerability and what to expect from us.
Explore
Need our security pack?
Tell us your jurisdiction, deployment model and timeline. We'll send the right documents under NDA.
Request security pack