What we buildHow we workReliabilityIntegrationsPortfolioFAQ

Security

Security isn’t a marketing line. Here’s what we actually do, named and specific, so you can verify before trusting.

Our Approach

We build security into systems from the ground up, not bolted on after launch. The list below is what runs in production today on VantageClaw and what we apply to custom builds — not aspirational claims about what we could do if asked.

What Runs in Production

Encryption at Rest

AES-256-GCM authenticated encryption for all secrets. HKDF-SHA256 key derivation with versioned wire format that supports key rotation. Encrypted backups using pg_dump | gzip | gpg --cipher-algo AES256 with SHA-256 checksums.

Sensitive Data Redaction

Credentials, API keys, JWTs, credit card numbers, SIN/SSN are stripped before any data reaches an AI model. Per-org configurable redaction levels. Reversible redaction (Redact-Rehydrate) for workflows where the AI must work with structure but never see real values.

Audit Trails (Tamper-Resistant)

Every audit event is dual-written: PostgreSQL plus a tamper-independent second copy via Loki with 90-day retention and 14-day anti-backdating. Alerts fire if log ingestion stops or audit writes fail.

Access Controls

Role-based access control with five tiers (viewer, member, operator, admin, owner). Per-org rate limiting (600 req/min). Multi-factor authentication via Clerk. Approval gates on all external actions — the AI proposes, a human approves before anything goes out.

Backup & Recovery

Daily encrypted backups with 30-day retention. Weekly automated restore tests against a temporary PostgreSQL instance — checksum, decrypt, restore, sanity query. Alerts if backups stop running or verification fails.

Data Isolation

Each client organization gets its own isolated environment — dedicated container, encrypted workspace, per-org database scoping enforced at the dependency-injection layer (not just by query convention). Bring your own AI provider key — your data, your provider relationship.

Vulnerability Scanning

Our build pipeline runs automated security scans on every change:

  • pip-audit — Python dependency vulnerability scanning
  • npm audit — JavaScript dependency vulnerability scanning
  • Trivy — container image scanning before deployment
  • Bandit — Python static analysis for security issues

SOC 2 Posture

VantageClaw is SOC 2-ready — encrypted backups with verified restores, audit dual-write, data retention policies, vendor risk assessments, change management documentation, and business continuity planning all in place. We’re not certified yet (certification is a multi-month audit process); we’ll start that process when client demand calls for it. The technical infrastructure is already there.

Incident Response

We have a documented incident response plan with clear procedures for detection, containment, eradication, recovery, and post-incident analysis. Monitoring and alerting are built in from day one (Prometheus + Grafana, Loki for log aggregation), so issues surface as they happen rather than after the fact.

Security Questions?

If you have specific security or compliance requirements you’d like to discuss, or want a technical deep-dive on any of the practices above, get in touch.

info@vantagesolutions.ca