Security posture, in plain language.
Vigilarx serves a regulated buyer (university research-security offices) operating under federal scrutiny (NSPM-33, FCA). Our security posture is built around what those buyers actually need to defend in a federal audit — not a marketing checklist.
Built around what survives an audit.
The False Claims Act (31 USC §3729) and the federal false-statements statute (18 USC §1001) are the two surfaces a research-security determination has to defend against. Vigilarx is built around three outcomes that those statutes care about: no hallucinations on any user-facing surface, every claim anchored to a verifiable source row at the time of action, and a tamper-evident audit trail that reproduces the chain when challenged.
Concretely: every signed artifact carries a SHA-256 attestation hash. Every screening claim records the exact watchlist version in effect when the action was taken. Every supersede chain (RSP cert re-signing, TCP amendment, scholar clearance re-issue) preserves the prior version verbatim. There is no path through the platform that produces a defensibility-critical artifact without recording the chain.
SOC 2 Type II in process — expected Q4 2026.
We are not yet SOC 2 Type II attested. The audit is in active process; expected attestation is Q4 2026. We do not claim attestations we have not earned. In the meantime, we are happy to share our security questionnaire response, the control inventory we are auditing against, and the readiness program timeline. Request via the link above and you'll have it the same business day.
What is in place today.
Multi-tenant row-level security
Every row in every Vigilarx table is scoped by organization_id. Supabase RLS policies enforce this at the database level — application code cannot bypass tenant isolation. RLS posture verified across the full schema; admin tables use service-role-only access.
Audit-log immutability
audit_log is append-only. Every screening, upload, attestation, decision, and cert signing is logged with actor, action, entity, before/after payloads, source-data version snapshot, and IP. Audit rows are never updated or deleted.
Encryption at rest
Postgres on AWS RDS via Supabase: AES-256 at rest. Storage buckets (cert PDFs, logos, audit packets) encrypted at rest with the same AES-256 standard. Database backups encrypted on creation.
Encryption in transit
TLS 1.2+ for every external connection (HTTPS to vigilarx.com, TLS to Supabase, TLS to Anthropic, TLS to OpenAlex). HSTS enforced; HTTP requests to vigilarx.com redirect to HTTPS at the edge.
Anti-hallucination discipline
Every generated sentence in every report must anchor to a verifiable source row from one of 14 federal + open-source authorities. Unanchored sentences never reach the user. Outcome: no hallucinations in any user-facing surface.
Source-data versioning
Every audit_log event captures a snapshot of all 14 watchlist versions in effect at that moment. When a finding is challenged six months later, the exact source-of-truth used at the time is recoverable.
Tamper-evident attestations
Every signed artifact — RSP cert, TCP, ECCN classification, scholar clearance, country screening determination — carries a SHA-256 attestation hash over canonical JSON. A modified artifact does not match its hash. Cryptographic evidence under FIPS 180-4.
Authentication
Supabase Auth (email/password, magic-link). Sessions are HTTP-only cookies with secure + sameSite=lax. SSO (SAML / OIDC) available on the institutional plan; institutional MFA enforcement on roadmap.
Service-role isolation
Admin keys (Supabase service-role, Anthropic API, Resend API, Upstash) live in Vercel encrypted env vars; no plaintext in the repo. Service-role client is constructed only inside server-side code paths; never exposed to the browser.
What is in flight, with explicit dates.
SOC 2 Type II
SOC 2 Type II audit in active process. We can share the SOC 2 readiness program details and our security questionnaire response on request — happy to walk through the controls inventory live.
Penetration testing
Pre-launch penetration test scheduled. Summary report (with remediation evidence) shareable with prospects under NDA.
Continuous re-screening alerts
Cron-driven re-screening on cert anniversaries with delta alerts when a watchlist version changes a previously CLEAR finding.
Where customer data lives.
Customer-tenant data lives in a Supabase Postgres instance hosted on AWS us-east-1. Backups retain for 7 days at the same residency. Storage buckets (cert PDFs, audit packets, logos) co-locate with the database. We do not transfer customer data outside the contracted U.S. region without written consent.
LLM API calls leave the U.S. region when our model provider routes them — in those payloads, only the specific named-entity inputs needed for the screening pass over the wire, and the response anchors back to verifiable source rows that already live in our database. Our model provider does not retain training data from API traffic.
If something goes wrong.
Vigilarx maintains an incident response plan covering detection, classification, customer notification, and post-incident review. For confirmed incidents involving customer data, we commit to notifying affected customer institutions within 72 hours of confirmation. The notification includes scope, root cause, mitigation status, and a retrospective due within 14 days.
Our incident response plan is part of the SOC 2 Type II evidence inventory. We will share the redacted plan under NDA on request.
Want our security questionnaire response?
Send a note from your institutional email and we'll have the standard questionnaire response (with control inventory + SOC 2 readiness timeline) back to you the same business day.