Security Overview
Version 2026-06-16
Vectrip handles sensitive traveler information for executives and operations teams. Security is a first-class engineering concern, not an afterthought. This overview summarizes the technical and operational controls we maintain.
Architecture
- Multi-tenant SaaS with strict per-organization row-level security enforced in the database, not just the application layer.
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256 on managed infrastructure).
- Sensitive traveler fields (passport, driver license, etc.) stored in a separate encrypted table with envelope encryption.
- Secrets stored in a hardened secret manager, never in source code.
Authentication & access
- Email + password, Google OAuth, and Apple Sign In supported.
- TOTP-based multi-factor authentication available on every account.
- Role-based access control: admin, assistant, approver, finance, traveler.
- Magic links for external approvers and travelers; cryptographically signed, single-use, and time-limited.
- Session timeout and audit logging of sign-in events.
Infrastructure
- Hosted on Cloudflare Workers + Supabase (Postgres) in US/EU regions.
- Managed Postgres with daily encrypted backups and 30-day point-in-time recovery.
- Edge functions run in isolated V8 sandboxes; no persistent local filesystem.
Data minimization
- We do not store full payment card numbers or CVV codes.
- Sensitive traveler fields are optional and access is audit-logged on every read.
- Encrypted fields can be deleted independently without deleting the traveler.
Sub-processors
- Lovable Cloud / Supabase — hosting, database, authentication, edge compute.
- Cloudflare — edge runtime, CDN, DDoS protection.
- Mailgun — transactional email delivery.
- Twilio — SMS notifications.
- Stripe — billing and payments.
- Duffel — flight and hotel inventory.
- OpenAI — AI-powered request extraction (zero-retention data policy).
Monitoring & response
- Application and security event logging with retention sufficient to investigate incidents.
- Automated anomaly detection for queue depth, error rates, and authentication failures.
- Incident response: triage within 24 hours, customer notification within 72 hours for confirmed breaches involving personal data.
Reporting a vulnerability
We welcome coordinated disclosure. Email security@vectrip.com with a clear reproduction. Please do not test against other customers' workspaces. We will acknowledge within two business days.
Compliance
Vectrip aligns with SOC 2 control objectives and supports GDPR / CCPA data-subject rights. We are not yet SOC 2 audited; our roadmap targets a Type I report. Enterprise customers may execute a Data Processing Addendum on request.
Vectrip