Security is our
product — and our practice.

Dedicated EU infrastructure.

• Hosting — EU cloud infrastructure, with encrypted storage at rest. Enterprise tenants get a contractual EU data residency clause.
• Network — TLS 1.2+ for all traffic. Automatic certificate management via Let's Encrypt.
• Database — PostgreSQL with row-level tenant isolation. Global query filters prevent cross-tenant reads.
• Backups — nightly encrypted Postgres dumps to EU-region object storage. 30-day retention.
• Recovery targets — RPO ≤ 24 hours (nightly snapshot). RTO ≤ 4 hours on our current single-VM deployment; we rebuild from a known-good image plus the most recent backup. A quarterly restore drill validates both numbers.

Passwordless by default.

• Magic links — email-based auth means no passwords to steal or leak.
• MFA — TOTP two-factor. Tenant admins can enforce it for every member.
• SSO — per-tenant SAML and Entra ID from Business onward (no SSO tax).
• SCIM 2.0 — per-tenant user and group provisioning on Enterprise.
• Sessions — configurable timeouts with automatic inactivity logout.
• IP allowlisting — per-tenant CIDR restrictions (Enterprise tier).
• Brute-force protection — rate limiting on authentication endpoints.

One tenant cannot see another.

• Schema-level scoping — every query auto-filtered by tenant ID via EF Core global query filters.
• Background jobs — iterate tenants explicitly with IgnoreQueryFilters(); no leakage paths.
• Roles — Owner / Admin / Member with granular permissions.
• Audit trail — every action logged with user, timestamp, and IP.

Agents are outbound-only.

• Outbound only — agents connect out to Vornin. No inbound ports required on your network.
• Private-IP guard — Vornin never scans RFC 1918 addresses from the cloud. Internal targets route through agents.
• Code hygiene — cloned source is deleted immediately after scanning. PAT credentials scrubbed from git configs.
• Credential isolation — agent keys are unique per agent and revocable at any time.

AES-256-GCM at rest, TLS 1.2+ in flight.

• In transit — all connections use TLS 1.2 or higher.
• At rest — sensitive fields (PATs, API keys, TOTP secrets) encrypted with AES-256-GCM before storage.
• Key management — encryption keys stored separately from application data. App fails fast at startup if keys are missing.

EU-hosted. DORA / NIS2 mapped.

• GDPR — EU hosting. Article 20 data export. Article 17 account deletion. Configurable retention per tenant (30 days → 7 years by tier).
• Auto-mapping — findings linked to DORA, NIS2, ISO 27001:2022, SOC 2, PCI DSS 4.0, HIPAA, GDPR, NIST 800-53 Rev 5, and CIS Controls v8.
• Audit-ready — per-finding auditor pack ZIP (Business+) with chain verification manifest; tenant-wide auditor PDF (Enterprise).

Tamper-evident evidence chain.

• Chain — every VulnerabilityEvent row carries a per-tenant SHA-256 Hash + PreviousHash. Rewriting one event invalidates every later one.
• Lock — chain stamping runs inside a pg_advisory_xact_lock(tenantId) transaction so concurrent writers serialize per tenant.
• Time — .NET ticks (100ns) are truncated to Postgres microsecond precision before hashing so canonical hashes round-trip exactly.
• Verify — the verification service walks a tenant's events, recomputes hashes, and reports the first break. Bundled into every auditor-pack manifest.
• Universal — chain integrity is on for every tenant on every plan; the auditor-pack export is what's gated.

Vornin scans itself.

We point our own scanners at vornin.com and app.vornin.com on the same cadence we recommend to customers. Critical and High findings are triaged on the same SLA we sell; we publish a redacted summary of the most recent self-scan on request. If it's not safe enough for us, it's not safe enough for you.

Responsible disclosure.

Discovered a security vulnerability in Vornin? Email security@vornin.com. Our full policy and safe-harbour terms are at /security-policy. We respond to every report within 48 hours.