// TRUST · SECURITY POSTURE

Security is the product. The site is held to the same bar.

Vezran builds an agentic cyber command layer. That means we live inside the same threat model our customers do. This page is the current state of our security posture — what we do, what we don't yet do, and how to reach us if something looks wrong.

// A · COMPLIANCE

Honest compliance status. No badges until earned.

SOC 2 Type II
In readiness

Audit prep underway. We will display the badge only after certification by a licensed CPA firm. Status will update here.

GDPR / data protection
Architecture designed for compliance

EU-friendly data handling principles applied. Pre-launch legal review is the gate for any "GDPR-compliant" claim.

TLS · CAA
Google-managed cert · CAA pinned to allowed issuers

vezran.com CAA allows pki.goog, letsencrypt.org, sectigo.com. Any other issuer is rejected at DNS level.

Corporate status
Delaware C-Corp · American-built

Headquartered in San Francisco, California. Incorporated and primarily developed in the United States.

// B · PRACTICES

What we actually do today.

No aspirational claims. The list below reflects production reality:

Edge / Network
HTTPS everywhere on vezran.com (Google-managed TLS, HSTS preloaded). Cloud Armor WAF at the load-balancer edge: OWASP Core Rule Set (sqli, xss, lfi, rce, rfi, scanner detection, protocol attacks), 100 req/min per-IP rate limit, Adaptive Protection for L7 DDoS.
Runtime / Secrets
All runtime secrets (Resend API key, Anthropic API key) stored in Google Secret Manager, mounted into Cloud Run only at request-handler time, never written to disk or logs. Service account has least-privilege accessor role per secret.
Ingress isolation
Cloud Run service ingress locked to load-balancer only. The*.run.appURL is not publicly reachable, preventing WAF bypass.
Repository / Supply chain
Source on private GitLab with dual-push mirror to private GitHub. Branch protection onmain. Container builds run in Cloud Build with a scoped runner service account — no long-lived deploy keys in code.
Data collected on this site
Contact form, demo form, investor form: name, email, free-form message. Stored only as inbound email via Resend. No analytics cookies. No third-party trackers in production aside from Calendly (demo booking) which loads only on the/demosurface.
// C · DISCLOSURE

Report a vulnerability.

Contact
security@vezran.com

We acknowledge every report within 72 hours. Please include steps to reproduce, the affected URL or component, and your preferred attribution (or anonymity).

In scope
  • vezran.com (this site)
  • API endpoints under vezran.com/api/*
  • Authentication, session, and CSRF behavior
  • Anything that exposes other users' data
Out of scope
  • Findings on subdomains we don't operate
  • Rate-limit / DoS reports without exploitation
  • Vulnerabilities in third-party services we use
  • Self-XSS, social engineering, physical access

We do not currently run a paid bug bounty. We do publicly thank researchers who follow this policy (with permission) in our release notes.