Vulu VaultBack to Home

Security Practices

Last updated: February 18, 2026

1. Our Commitment

Security is foundational to Vulu Vault. As a platform handling sensitive compliance documents and business data, we implement multiple layers of protection to safeguard your information.

2. Infrastructure Security

  • Hosting: Deployed on Vercel with automatic scaling, DDoS protection, and edge network distribution.
  • Database: PostgreSQL 15 on Neon with automated backups, point-in-time recovery, and encrypted connections.
  • File Storage: Cloudflare R2 with S3-compatible API, server-side encryption, and presigned URL access control.
  • CDN: All traffic routed through Cloudflare with WAF protection.

3. Data Encryption

  • In Transit: All connections use TLS 1.3. HTTP is automatically redirected to HTTPS.
  • At Rest: Database and file storage use provider-level AES-256 encryption.
  • Passwords: Hashed with bcrypt using adaptive cost factors. Plaintext passwords are never stored.
  • Tokens: Session refresh tokens are stored as SHA-256 hashes. JWT access tokens are short-lived (15 minutes).

4. Authentication & Access Control

  • JWT Authentication: Short-lived access tokens (15 min) with secure refresh token rotation (7 days).
  • Multi-Factor Authentication: TOTP-based MFA support for enhanced account security.
  • Role-Based Access Control: 14-role hierarchy with granular permissions across resources and actions.
  • Rate Limiting: IP-based rate limiting on authentication endpoints to prevent brute-force attacks.
  • Account Lockout: Automatic account lockout after repeated failed login attempts.
  • Session Management: Sessions track IP and user agent; old sessions are revoked on new login.

5. Multi-Tenant Isolation

Every database query is scoped to the authenticated user's tenant. Tenant isolation is enforced at the middleware level - authentication headers are cryptographically verified and cannot be spoofed. Cross-tenant data access is architecturally impossible through normal API usage.

6. Application Security

  • SQL Injection: All database queries use parameterized statements.
  • XSS Prevention: React's built-in output escaping, no unsafe HTML rendering.
  • CSRF Protection: SameSite cookie policy and secure cookie flags.
  • Header Spoofing: Middleware strips incoming auth headers and validates cryptographic timestamps (CVE-2025-29927 mitigated).
  • Dependency Security: Regular npm audit scans with zero known vulnerabilities.
  • Document Security: File type validation, size limits, and malware scanning on uploads.

7. Monitoring & Incident Response

  • Error Tracking: Sentry integration with real-time alerting (with user consent for analytics).
  • Audit Logging: Comprehensive logs of all user actions including IP address and user agent.
  • Health Monitoring: Automated health checks on database connectivity and critical services.

8. Compliance Features

  • Legal Holds: Ability to freeze documents from deletion during legal proceedings.
  • Retention Policies: Configurable data retention with automated cleanup.
  • Data Export: Users can export their personal data in JSON format.
  • Account Deletion: Users can request full account deletion with PII anonymization.

9. Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@vuluvault.com. We will acknowledge receipt within 48 hours and work to resolve verified issues promptly. We do not pursue legal action against researchers who follow responsible disclosure practices.