Back to Home

Security Policy

Last Updated: 06/2025

Security isn't just a feature at W9Vault — it's our foundation. We understand that accounting professionals handle some of the most sensitive financial information, and we've designed our platform to exceed industry security standards with military-grade encryption and zero-knowledge architecture.

Our Security Architecture

Zero-Knowledge Client-Side Encryption

  • All documents are encrypted in the vendor's browser before upload using TweetNaCl XSalsa20-Poly1305 encryption
  • Each file gets its own unique encryption key generated with cryptographically secure random number generators
  • We literally cannot read the contents of uploaded files — they appear as meaningless encrypted data to our systems
  • Only the intended recipient can decrypt the files

End-to-End Security

  • TLS 1.3 encryption for all data in transit
  • Database encryption at rest using AES-256
  • Encrypted backups with geographic distribution
  • Secure key management with hardware security modules

Automatic Data Deletion

  • All uploaded documents automatically deleted after 30 days (no exceptions)
  • Secure deletion using cryptographic erasure
  • No long-term document storage (by design)
  • Audit logs confirm successful deletion

Application Security

Access Controls

  • Multi-factor authentication available for all accounts
  • Strong password requirements enforced
  • Session management with automatic timeout
  • Role-based access controls with principle of least privilege

Attack Prevention

  • Content Security Policy (CSP) prevents XSS attacks
  • Input validation and sanitization on all user inputs
  • Rate limiting with progressive delays to prevent abuse
  • Secure error handling prevents information leakage

Monitoring & Detection

  • Real-time security event monitoring through Sentry
  • Audit logging for all security-relevant events
  • Automated threat detection and response
  • Failed login attempt tracking and alerting

Infrastructure Security

Hosting & Network

  • Hosted on Vercel with enterprise-grade security
  • Global CDN with DDoS protection
  • Network segmentation and firewall protection
  • Regular security patches and updates

Database Security

  • Supabase provides PostgreSQL with row-level security
  • Database backups are encrypted and geographically distributed
  • Network isolation and access controls
  • Regular third-party security assessments

Vendor Security

We work only with security-certified partners:

  • Supabase: SOC 2 Type II certified, ISO 27001 certified
  • Stripe: PCI DSS Level 1 certified for payment processing
  • Vercel: SOC 2 Type II certified hosting platform
  • Resend: GDPR compliant email services with TLS encryption

All vendors undergo security assessments and are bound by strict data processing agreements.

Compliance & Auditing

Standards & Certifications

  • We follow SOC 2-aligned controls and are exploring formal certification as we grow
  • GDPR compliant data processing
  • CCPA compliance for California users
  • Industry-standard encryption protocols

Regular Security Reviews

  • Annual third-party security assessments
  • Quarterly internal security reviews
  • Continuous vulnerability scanning
  • Penetration testing by certified security professionals

Incident Response

Detection & Response

  • 24/7 automated monitoring for security events
  • Incident response procedures activated within 4 hours
  • Clear escalation procedures for security incidents
  • Transparent communication plan for affected users

Breach Notification

  • Immediate investigation of potential breaches
  • Notification within 72 hours if required by law
  • Clear communication about impact and remediation steps
  • Post-incident security improvements implemented

Data Protection by Design

Privacy-First Architecture

  • Zero-knowledge encryption by default
  • Minimal data collection principles
  • Automatic data deletion timelines
  • Privacy-preserving analytics and monitoring

Secure Development Practices

  • Security code reviews for all releases
  • Automated security testing in CI/CD pipeline
  • Regular security awareness training for staff
  • Secure development lifecycle (SDLC) practices

Security Transparency

Reporting Security Issues

We take security seriously and appreciate responsible disclosure:

  • Email: security@w9vault.com
  • Include detailed description of the vulnerability
  • Provide steps to reproduce if possible
  • Allow reasonable time for response and remediation

Our Response Commitment

  • Acknowledgment within 24 hours
  • Initial assessment within 72 hours
  • Regular updates throughout investigation
  • Recognition for responsible security researchers

Physical Security

Data Center Security

  • All data stored in SOC 2 certified data centers
  • 24/7 physical security monitoring
  • Biometric access controls
  • Environmental controls and redundancy systems

Questions & Contact

For security-related questions or to report security issues:

We maintain this security policy with regular reviews and updates to reflect our ongoing commitment to protecting your sensitive financial data.