Trust & Security

Last updated: July 5, 2026

Security and privacy are foundational to how we build. The Visual Decisions platform is engineered to the AICPA SOC 2 Trust Services Criteria, and our security and privacy controls are implemented and operating in production today.

In 2026 we completed a comprehensive, independent assessment of the platform against the SOC 2 framework and remediated every finding across all severity levels. We run on SOC-2-attested infrastructure (AWS and Vercel) and maintain a control environment built to be examination-ready. We are pursuing formal SOC 2 attestation on a timeline aligned to our customers' needs.

We're glad to share our detailed control matrix, complete a security questionnaire, and provide supporting evidence under NDA — just reach out.

How we protect your data

Access control & authentication. Centralized authentication with multi-factor authentication (TOTP) enforced on every administrative surface across the platform. Administrative credentials are protected with encrypted secrets, least-privilege database roles, and per-application signing keys.

Change management. Every change reaches production through an enforced pull-request workflow with branch protection and a required automated gate — type-checking, dependency vulnerability scanning, and an automated test suite must all pass before any change ships. No direct-to-production changes.

Monitoring & audit trail. Security-critical actions are recorded in a tamper-evident, append-only audit log (a cryptographic hash chain plus database-level write protection), verified daily by an automated integrity check. Application errors are captured by centralized monitoring and alerting, with personal data scrubbed before storage.

Network & application hardening. HTTP security headers including HSTS and a Content-Security-Policy (currently in monitoring mode, with enforcement in progress); rate limiting on authentication and sensitive endpoints at both the application and edge layers; and managed DDoS protection.

Data protection. Encryption in transit (TLS/HTTPS) and at rest (AWS RDS). Access is scoped by role and by company, and administrative actions are gated by MFA and recorded in the audit trail.

Privacy by design. Self-service account deletion (right to erasure), usage analytics minimized to anonymous, non-identifying data at the point of collection, published privacy policies across all properties, a Record of Processing Activities, a maintained sub-processor register, and documented data-retention periods. A data-processing agreement (DPA) is available on request.

Reliable infrastructure. The platform runs on managed, redundant infrastructure (AWS RDS, Vercel) with provider-managed backups.

Working with our security team

We support customer security reviews and can provide, under NDA:

  • A control matrix mapping each control to the relevant Trust Services Criteria
  • A completed security questionnaire (SIG, CAIQ, or your standard form)
  • Our sub-processor list and Record of Processing Activities
  • A data-processing agreement (DPA)
  • An architecture and data-flow overview

Contact

This page describes our security program as of the date above. It is not a SOC 2 report and does not constitute a representation of SOC 2 certification. A SOC 2 report can be issued only by an independent licensed CPA firm following a formal examination.