Security

Last updated 15 April 2026 · Version 1.0

Security is foundational to GetAiVIS. This page describes the controls we have in place to protect your data and keep the service available. It is written for customers, prospects, and security reviewers conducting third-party risk assessments.

Data encryption

In transit: TLS 1.2+ on all customer-facing traffic. Insecure protocols are rejected at the edge.
At rest: All application data is stored in an encrypted managed PostgreSQL database on Railway. Disk-level and backup encryption are provided by the underlying cloud infrastructure.
Passwords: Stored as one-way bcrypt hashes with a per-user salt. Plaintext passwords are never logged and cannot be recovered by GetAiVIS — only reset.
Secrets: API keys, database credentials, and third-party tokens are stored as encrypted environment variables managed by the hosting platform; never committed to source control.

Access control

Role-based access control at the application level separates free, Pro, Agency, and admin privileges.
Production infrastructure access is limited to the founder/operator and reviewed regularly. Access requires strong authentication.
Session cookies are marked Secure, HttpOnly, and SameSite=Lax to mitigate XSS and CSRF risk.
No shared production accounts. No shared passwords.

Application security

Parameterised database queries throughout the codebase to prevent SQL injection.
Input validation and output encoding for all user-supplied data.
CSRF protection on state-changing endpoints; rate limiting on authentication and scan endpoints.
Dependencies audited with automated vulnerability scanning; security patches applied promptly.
Security headers (Content-Security-Policy, X-Content-Type-Options, Referrer-Policy) set via the hosting platform and application layer.

Infrastructure & hosting

Hosted on Railway (primary), fronted by Cloudflare for DNS, TLS, and DDoS protection.
Automated daily database backups retained for at least 7 days on Pro, with point-in-time recovery.
All public traffic served over HTTPS; plain HTTP requests are redirected.
Production environment is fully segregated from any development or test environments; no customer data is used for development.

Monitoring & logging

Application and infrastructure logs retained on a 30-day rolling basis, used for debugging, abuse detection, and incident investigation.
Uptime monitoring on key endpoints with alerting to the operator.
Anomaly detection on authentication events (failed logins, unusual locations).

Incident response

GetAiVIS maintains a documented incident response process covering detection, containment, eradication, recovery, and post-incident review. In the event of a personal data breach likely to result in a risk to data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected customers without undue delay, in line with Article 33 of the GDPR and the UAE PDPL.

Business continuity

Stateless application servers enable rapid redeploy on host failure.
Managed database with automated backups enables restoration to a new instance if the primary is lost.
Source code and configuration are version-controlled and replicated off-platform.

Vendor management

All subprocessors are reviewed before onboarding and listed publicly at /subprocessors.html. We contract with vendors that offer equivalent or stronger security controls and appropriate international transfer safeguards.

Responsible disclosure

If you believe you've found a security vulnerability in GetAiVIS, please email security@getaivis.ai with:

A description of the issue and steps to reproduce
The affected endpoint or feature
Your contact details so we can follow up

We commit to acknowledge the report within 48 hours, investigate in good faith, and keep you informed of progress. Please do not exploit the vulnerability beyond the minimum required to demonstrate it, do not access or modify other users' data, and give us a reasonable opportunity to remediate before public disclosure.

Certifications: GetAiVIS is a small, fast-moving product and does not currently hold SOC 2 or ISO 27001 certification. If formal certification is a procurement requirement, please contact us at security@getaivis.ai to discuss a tailored security questionnaire and supporting evidence.

Contact

Security questions: security@getaivis.ai