Vexa LogoVexa
GitHub

Security Overview

Last updated: September 17, 2025

Model

Single-tenant logic per workspace; multi-tenant infrastructure on IaaS.

Regions

Primary: Frankfurt, Germany (Vultr). We may deploy in other Vultr regions upon request or for capacity; we'll reflect this on /legal/subprocessors.

Data at rest

Stored on encrypted volumes provided by our IaaS. We do not offer end-to-end encryption.

Data in transit

HTTPS/TLS for all public endpoints.

Access controls

Minimal production access; MFA required; role-based; access limited to operational need and logged.

Secure development

The codebase is open-source and accepts community contributions. We use code review, CI checks, and dependency scanning before deployment. Security issues can be reported via /.well-known/security.txt.

Data minimization

No recording storage by default. Transcripts kept until you delete. System logs avoid sensitive payloads where feasible.

Backups

Infrastructure resilience (e.g., replicas) only. No customer-restorable backups of transcripts; you must export/retain copies.

Deletion

API/UI deletion purges transcripts from active systems; residual copies may persist briefly in logs or caches until overwritten.

Incident response

24/7 monitoring; triage, containment, and customer comms. Breach notices per DPA/Privacy.

Vulnerability disclosure

Email info@vexa.ai or use /.well-known/security.txt. No bug-bounty yet.

Employee & devices

Minimal staff; security training; patched OS; full-disk encryption; least-privilege.

Compliance

No certification claims. We follow reasonable industry practices appropriate for an early-stage SaaS.

Contact

For security-related questions, please contact us at: info@vexa.ai