HomeVestaGlass Logo

VestaGlass

Join the Pilot

Security

Last updated: May 3, 2026

Security is a first-class concern at VestaGlass. We protect your data with modern encryption, strong authentication, and a defense-in-depth posture across the application stack.

Encryption

  • In transit: All traffic to VestaGlass is served over TLS 1.2 or higher with HTTPS enforced end-to-end.
  • At rest: Customer data is stored on managed, encrypted infrastructure. Database storage and backups are encrypted using industry-standard AES-256.

Authentication

  • Authentication is handled by Clerk, a SOC 2 Type II compliant identity provider.
  • Sessions use signed, HttpOnly, SameSite=Lax, Secure cookies to defend against session hijacking and CSRF.
  • Multi-factor authentication is available and recommended for all users.

Application security

  • Code is reviewed and merged through pull requests with required checks before reaching production.
  • Dependencies are tracked and updated regularly. Critical vulnerabilities are patched promptly.
  • We use parameterized queries and an ORM (Prisma) to protect against SQL injection.
  • Secrets are never committed to source control. Environment variables are stored in our hosting provider's secret manager.

Infrastructure

  • VestaGlass is hosted on Fly.io, a SOC 2 Type II compliant platform with hardware-isolated VMs.
  • Production deploys are gated by health checks, automated tests, and a baseline-and-rollback workflow that reverts failed deployments.
  • Production and staging environments are isolated, with separate credentials and data stores.

Monitoring & incident response

  • We use Sentry for real-time error monitoring and performance telemetry. The on-call team is alerted on production incidents.
  • We maintain audit logs of administrative actions and review them when investigating anomalies.
  • In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay.

Backups & recovery

Production databases are backed up automatically on a recurring schedule. Backups are encrypted and retained according to our recovery objectives. We test restoration procedures regularly.

Responsible disclosure

If you believe you've found a security vulnerability in VestaGlass, please report it to security@vestaglass.com. We commit to acknowledging valid reports promptly and working in good faith with researchers to resolve issues. Please do not publicly disclose the issue until we've had a reasonable opportunity to address it.

Questions

For security or compliance questions, contact security@vestaglass.com.