Security at VortykSecurity at Vortyk

In Transit

All data transmitted between your browser and Vortyk servers is encrypted using TLS 1.2 or higher with modern cipher suites. This includes all API calls, photo uploads, report downloads, and client sharing sessions. We enforce HTTPS on all connections and do not support unencrypted HTTP access.

At Rest

All data stored in our databases and file storage systems is encrypted using AES-256 encryption. This includes your account information, photos, reports, GPS data, and metadata. Encrypted backups are maintained in geographically distributed locations for disaster recovery.

Key Management

Encryption keys are managed through industry-standard key management services with automatic rotation. Keys are stored separately from encrypted data and are never exposed to application code.

Row-Level Security

Vortyk implements database-level row-level security (RLS) policies that enforce strict data isolation between accounts. Every database query is scoped to your user ID, ensuring you can only access your own projects, surveys, photos, and reports. This protection operates at the database level, independent of application logic.

Authentication

User sessions are managed through JWT (JSON Web Token) authentication with secure token generation and automatic expiration. Passwords are hashed using bcrypt with appropriate cost factors before storage. Vortyk never stores plaintext passwords.

Ownership Verification

Every data mutation (create, update, delete) includes an ownership verification check that confirms the requesting user is the legitimate owner of the resource. This check occurs at the API layer before any database operation is executed.

Enterprise Role-Based Access

For Enterprise plan organizations, Vortyk supports role-based access control (RBAC) with Owner, Admin, and Member roles. Each role has granular permissions governing project access, member management, and billing operations.

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. PCI DSS Level 1 is the highest level of payment security certification.

Vortyk never collects, transmits, or stores your full credit card number, CVV, or other sensitive payment card data. When you enter your payment information, it is transmitted directly to Stripe through their secure payment elements. Vortyk receives only the last four digits of your card number and the card brand for display purposes.

Stripe webhook events are verified using cryptographic signature validation to prevent tampering. Every incoming payment event is authenticated before processing.

For more information about Stripe's security practices, visit stripe.com/docs/security.

Vortyk is hosted on Vercel's edge network, which provides automatic DDoS protection, global content distribution, and automatic scaling to handle traffic spikes.

Photos and reports are stored in secure cloud storage with access controlled through signed URLs. Each signed URL has a one-hour time-to-live (TTL) expiration, ensuring that direct file access links cannot be reused indefinitely.

Application deployments follow immutable infrastructure principles. Each deployment creates a new, isolated instance rather than modifying existing servers, reducing the risk of configuration drift or persistent compromise.

Network traffic is monitored for anomalous patterns, and automated rate limiting protects against brute-force attacks and API abuse.

Backups

Data is backed up regularly to encrypted, geographically distributed storage. Backups are tested periodically to verify recoverability. Backup retention follows the schedule described in our Privacy Policy.

Account Isolation

Each user's data is logically isolated at the database level through row-level security policies. Enterprise organizations maintain a separate namespace for shared projects while preserving individual data boundaries.

Secure Deletion

When you delete photos, projects, or your account, the data is marked for deletion and permanently removed from primary storage within 30 days. Data may persist in encrypted backups for up to 90 days before being purged.

Photo Validation

Uploaded photos undergo validation checks for file type, file size, and format integrity before being stored. Files that fail validation are rejected and not stored.

Vortyk maintains an incident response plan for security events. Our process includes the following phases:

Detection

We use automated monitoring, logging, and alerting to detect potential security incidents. Unusual access patterns, authentication failures, and system anomalies trigger immediate alerts.

Containment and Investigation

Upon detection, the incident response team works to contain the incident, assess the scope and impact, and identify the root cause. Affected systems are isolated as needed to prevent further exposure.

Notification

If a security incident affects your personal data, we will notify you by email within 72 hours of confirming the breach, in accordance with applicable data breach notification laws. The notification will include a description of the incident, the types of data affected, and the steps we are taking in response.

Remediation

Following an incident, we implement corrective measures to address the root cause and prevent recurrence. This may include security patches, configuration changes, access revocations, or infrastructure updates.

Post-Incident Review

After resolution, we conduct a post-incident review to document lessons learned and improve our security posture.

Vortyk is designed and operated with alignment to recognized security and privacy frameworks:

Privacy Law Compliance

Vortyk complies with applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and comprehensive privacy laws in Virginia, Colorado, Connecticut, and other states. See our Privacy Policy for detailed information about your privacy rights.

SOC 2 Aligned Practices

Vortyk follows security practices aligned with SOC 2 Trust Service Criteria, including access controls, encryption, monitoring, and incident response. We are working toward formal SOC 2 Type 2 certification.

Input Validation

Every form submission and API endpoint is validated using Zod schema validation to prevent injection attacks, malformed data, and unauthorized input. This applies to all user-facing inputs as well as internal API communications.

Regular Security Reviews

We conduct periodic security reviews of our codebase, infrastructure, and access controls to identify and address potential vulnerabilities before they can be exploited.

Vortyk's security measures are designed to protect your data within our infrastructure against unauthorized access, disclosure, and loss. However, no system is completely immune to all security threats, and we cannot guarantee that our security measures will prevent every potential breach or unauthorized access attempt.

Device-Level Data Accuracy

Vortyk's security practices protect the integrity of data within our systems but do not address the accuracy of data provided by your device. GPS coordinates, timestamps, camera bearing, and other EXIF metadata are generated by your device's hardware and software before being uploaded to Vortyk. The accuracy and reliability of this data depend on your device and environmental conditions, which are entirely outside Vortyk's control and outside the scope of our security measures.

User Responsibility

You are responsible for maintaining the security of your own devices, accounts, and credentials. This includes keeping your device software updated, using strong passwords, and protecting your login credentials from unauthorized use. Vortyk cannot protect against unauthorized access that results from compromised user credentials or insecure user devices.

Third-Party Services

While we carefully select and monitor our third-party service providers, Vortyk is not responsible for the security practices of third-party services (including Stripe, Vercel, and Google Analytics). Each provider maintains its own security measures and policies.

Shared Content

When you share project data through client sharing links, the security of that data depends on the strength of the password you set and the behavior of the recipients you share with. Vortyk cannot control how recipients handle, store, or distribute data they access through sharing links.

For mission-critical data, we recommend maintaining independent backups outside of Vortyk and verifying data accuracy through independent means.

If you discover a security vulnerability in Vortyk, we encourage responsible disclosure. Please report security concerns to security@vortyk.com with a detailed description of the vulnerability, including steps to reproduce it if possible.

We ask that you: give us reasonable time to investigate and address the issue before disclosing it publicly, make a good-faith effort to avoid accessing other users' data or disrupting the service during your research, and do not exploit any vulnerability beyond what is necessary to demonstrate the issue.

We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days. We are committed to working with security researchers to resolve issues promptly.

Vortyk does not currently offer a formal bug bounty program, but we deeply appreciate the security community's efforts to help keep our platform safe.