Security Overview

Version 2026-06-16

Vectrip handles sensitive traveler information for executives and operations teams. Security is a first-class engineering concern, not an afterthought. This overview summarizes the technical and operational controls we maintain.

Architecture

  • Multi-tenant SaaS with strict per-organization row-level security enforced in the database, not just the application layer.
  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256 on managed infrastructure).
  • Sensitive traveler fields (passport, driver license, etc.) stored in a separate encrypted table with envelope encryption.
  • Secrets stored in a hardened secret manager, never in source code.

Authentication & access

  • Email + password, Google OAuth, and Apple Sign In supported.
  • TOTP-based multi-factor authentication available on every account.
  • Role-based access control: admin, assistant, approver, finance, traveler.
  • Magic links for external approvers and travelers; cryptographically signed, single-use, and time-limited.
  • Session timeout and audit logging of sign-in events.

Infrastructure

  • Hosted on Cloudflare Workers + Supabase (Postgres) in US/EU regions.
  • Managed Postgres with daily encrypted backups and 30-day point-in-time recovery.
  • Edge functions run in isolated V8 sandboxes; no persistent local filesystem.

Data minimization

  • We do not store full payment card numbers or CVV codes.
  • Sensitive traveler fields are optional and access is audit-logged on every read.
  • Encrypted fields can be deleted independently without deleting the traveler.

Sub-processors

  • Lovable Cloud / Supabase — hosting, database, authentication, edge compute.
  • Cloudflare — edge runtime, CDN, DDoS protection.
  • Mailgun — transactional email delivery.
  • Twilio — SMS notifications.
  • Stripe — billing and payments.
  • Duffel — flight and hotel inventory.
  • OpenAI — AI-powered request extraction (zero-retention data policy).

Monitoring & response

  • Application and security event logging with retention sufficient to investigate incidents.
  • Automated anomaly detection for queue depth, error rates, and authentication failures.
  • Incident response: triage within 24 hours, customer notification within 72 hours for confirmed breaches involving personal data.

Reporting a vulnerability

We welcome coordinated disclosure. Email security@vectrip.com with a clear reproduction. Please do not test against other customers' workspaces. We will acknowledge within two business days.

Compliance

Vectrip aligns with SOC 2 control objectives and supports GDPR / CCPA data-subject rights. We are not yet SOC 2 audited; our roadmap targets a Type I report. Enterprise customers may execute a Data Processing Addendum on request.