SOC 2Type II audit complete·Feb 2026 · clean report·Get the report

Trust · Security

Security at VesperWise.

The full picture: certifications, the architecture diagram, every control we run, and the email address you use to tell us when something looks wrong. Built and audited as if your CISO were reading.

SOC2

SOC 2 Type II

AICPA · annual

Audited Feb '26

GDPR

GDPR · DPA

EU 2016/679 · SCCs

Live · v1.6

CCPA

CCPA / CPRA

California · 1798.100

Live

ISO

ISO 27001

Stage 1 in progress

Audit Q4 '26

HIPAA

HIPAA

Not in scope

Out of scope

How security is structured

Four pillars.
Every control rolls up to one of them.

People

Background checks, training, least‑privilege access — and the kind of culture where pushing back on a risky deploy is welcome.

Background check on hire
Security training: hire + annual
MFA on every internal account
Quarterly access review

Platform

The infrastructure your data sits on. Encryption at rest and in transit by default — and we use the same SOC 2'd subprocessors your enterprise vendors do.

TLS 1.3 · HSTS preloaded
AES‑256 at rest (Supabase)
RLS on every tenant table
Daily encrypted backups · 35d

Product

How your data flows through VesperWise — and what we deliberately don't do with it (e.g. train models on it).

SHA‑256 hashed API keys
No model training on Customer Data
Anthropic zero‑retention enforced
One‑click account deletion

Process

How we ship, audit, and respond. Including the postmortem you're allowed to ask for after any incident — they're written for customers, not just internal.

Annual third‑party pen test
72‑hour breach notification
Public status page · 99.97% SLA
Public postmortems within 5 days

Data flow

Where your data goes,
step by step.

Five hops from a customer’s browser to a scored response. Encryption in transit at every hop; nothing’s logged that doesn’t need to be.

Ingress

UI

Customer browser

intentiq.dev

TLS 1.3

API

REST clients

api.intentiq.dev

TLS 1.3

Edge · auth

VC

Vercel Edge

us‑east‑1 · WAF

Rate limit

CK

Clerk auth

SHA‑256 keys

RD

Upstash Redis

cache · 24h TTL

Storage · AI

SB

Supabase Postgres

us‑east‑1 · AES‑256

RLS

AN

Anthropic Claude

summary · copilot

Zero‑retain

SG

Signal vendors

Explorium · GNews · BuiltWith

For the full subprocessor list with regions, transfer mechanisms, and DPA links, see Subprocessors. We notify account owners 30 days before any change to this set.

Controls in detail

The twelve things
your CISO will ask about.

If a control isn’t here, it’s because we don’t run it — and we’ll tell you that, in writing, instead of waving the SOC 2 report.

Encryption · transit

CC6.1 · CC6.7

All traffic to intentiq.dev uses TLS 1.3 with strong ciphers; HSTS preloaded on the apex; certificates from Let’s Encrypt auto‑rotated every 60 days. Internal service‑to‑service hops use mTLS where the subprocessor supports it.

Active

Encryption · at rest

CC6.1

AES‑256 on Supabase Postgres and Vercel Blob; key management by the underlying provider with key rotation per their published schedule. We do not hold our own KMS keys today.

Active

Tenant isolation

CC6.6

Every multi‑tenant table enforces Postgres Row‑Level Security against the authenticated user’s tenant ID. Queries cannot omit the tenant predicate — RLS is enforced at the DB, not the application layer.

Active

API authentication

CC6.1 · CC6.6

API keys are bearer tokens, displayed once on creation, then stored as SHA‑256 hashes. Per‑user rate limits with Upstash; lockout on 10 failed attempts in 60s. Revocation propagates within 30 seconds.

Active

Internal access

CC6.1 · CC6.2 · CC6.3

Engineers access production via SSO + hardware MFA only. No standing access to customer data. Just‑in‑time access requires a Slack request, an approver, and is auto‑revoked after 4 hours. All access logged with reason.

Active

Audit logging

CC7.1 · CC7.2

Admin actions, auth events, and access to sensitive routes are logged with actor, IP, and result. Logs are retained 12 months and shipped to a separate, write‑only sink to prevent tampering by the application.

Active

Vulnerability management

CC7.1

Dependency scanning via GitHub Dependabot on every commit. Critical CVEs patched within 48 hours; high within 7 days. Third‑party penetration test every 12 months; summary available under NDA.

Active

Backups & resilience

A1.2 · A1.3

Daily encrypted database backups with 35‑day retention; point‑in‑time recovery to any second within the last 7 days. RPO 24h, RTO 4h. DR drills run twice per year; latest drill recovered the full stack in 1h 42m.

Active

Incident response

CC7.3 · CC7.5

On‑call rotation with paging. Severity ladder published internally; SEV‑1 invokes a war room within 10 minutes. Customer notification within 72 hours of confirmed Personal Data Breach per GDPR Art. 33. Postmortem within 5 business days.

Active

AI processing

CC9.1 · Customer policy

Anthropic configured with zero data retention; prompts are not used for training; no PII included in prompts. Customers can disable AI features per workspace. BYO Anthropic key on Pro and Agency plans.

Active

Personnel

CC1.4

Background checks on hire (criminal, employment, education). Confidentiality agreements signed before access. Security training on hire and annually. Offboarding revokes all access within 1 hour of last day.

Active

Physical security

CC6.4

VesperWise operates no data centers. All production hosting is at SOC 2 and ISO 27001 certified subprocessors (Vercel, Supabase, Upstash). Office spaces are subleased; no production data on local devices.

Active

For your procurement team

Everything you need
to fast‑track us.

Pre‑filled questionnaires, the SOC 2 report, the DPA, and a one‑pager you can drop into a security review.

PDF · NDA required

SOC 2 Type II report

Feb 2026 · Clean opinion · 42 pages

Auto‑signed · public

Data Processing Agreement

v1.6 · GDPR Art. 28 · SCCs included

Spreadsheet

CAIQ Lite · SIG Core (pre‑filled)

Updated May '26 · 287 questions

Public · live

Subprocessor inventory

9 subprocessors · 30‑day change notice

Live

Status page · uptime history

status.intentiq.dev · 99.97% / 90d

PDF

Security one‑pager

For a 5‑minute review

Found something? Tell us.

We pay bounties up to $5,000 for severe issues, settled in 14 days. No legal threats for good‑faith research. Encrypt your report with the PGP key on the right — or just email security@intentiq.dev in the clear.

Email security@intentiq.dev

PGP fingerprint · security@intentiq.dev8C42 9B17 D6E3 7F4A 1C0E  5D8A 9F36 A1B2 04EC 7F31