Security Documentation
Technical security controls, data protection measures, and privacy guarantees for the VPC Platform.
Last updated: January 2026
1. Encryption Standards
| Data State | Algorithm | Key Size |
|---|---|---|
| In Transit | TLS 1.3 | 256-bit (AES-GCM) |
| At Rest | AES-256-GCM | 256-bit |
| Report Signatures | RSA-PSS / ECDSA | 4096-bit / P-384 |
| Hash Functions | SHA-256 / SHA-384 | 256-bit / 384-bit |
All cipher suites are reviewed quarterly and updated to maintain compliance with current NIST recommendations. Legacy protocols (TLS 1.0, 1.1, 1.2) are disabled.
2. Key Management
- Key Generation: All cryptographic keys are generated using hardware security modules (HSMs) with FIPS 140-2 Level 3 certification.
- Key Storage: Master keys stored in HSMs. Data encryption keys (DEKs) are encrypted with key encryption keys (KEKs) and stored separately from encrypted data.
- Key Rotation: DEKs rotated every 90 days. KEKs rotated annually. Emergency rotation procedures documented and tested quarterly.
- Customer-Managed Keys: Enterprise customers may provide their own KEKs via supported cloud KMS integrations (AWS KMS, Azure Key Vault, Google Cloud KMS).
3. Data Retention Policies
| Data Type | Default Retention | Configurable |
|---|---|---|
| Audit Reports | 7 years | Yes (minimum 1 year) |
| Session Recordings | 90 days | Yes |
| Identity Verification Data | Deleted after verification | No |
| System Logs | 1 year | No |
| Presence Telemetry | Aggregated in reports, raw deleted after 30 days | Yes |
All data deletion is cryptographic (key destruction) followed by physical deletion within 30 days. Deletion certificates available upon request.
4. Threat Model Summary
The VPC Platform threat model considers the following threat actors and attack vectors:
External Attackers
Network-level attacks mitigated through TLS 1.3, certificate pinning, and WAF rules. Application-level attacks addressed through input validation, parameterized queries, and security headers. Regular penetration testing by third-party firms.
Malicious Insiders
Access controls enforce least-privilege. All data access logged to immutable audit storage. Background checks required for all employees with data access. Customer data access requires ticket-based approval with automatic expiration.
Compromised Participants
Identity verification reduces impersonation risk. Presence monitoring detects session handoffs. Cryptographic binding between identity verification and session prevents credential sharing attacks.
Report Tampering
All reports cryptographically signed at generation. Timestamps from RFC 3161 timestamp authority. Hash verification allows detection of any modification. Original reports stored in append-only storage.
5. Privacy Guarantees
- Data Minimization: Only data necessary for verified presence is collected. No behavioral analytics, no environmental scanning, no keystroke logging.
- Purpose Limitation: Data collected for presence verification is used only for presence verification and audit reporting. No secondary uses, no data sales, no advertising.
- No Biometric Databases: Identity verification data is processed in real-time and deleted after verification. We do not maintain biometric databases or facial recognition galleries.
- Tenant Isolation: Each customer organization is a separate tenant with complete data isolation. No data sharing between tenants. Separate encryption keys per tenant.
- Right to Deletion: Participants may request deletion of their personal data subject to legal retention requirements. Deletion requests processed within 30 days.
6. Infrastructure Security
- Hosting: Primary infrastructure hosted on SOC 2 Type II certified cloud providers with geographic redundancy.
- Network Security: Private network segments, WAF protection, DDoS mitigation, and intrusion detection systems.
- Monitoring: 24/7 security monitoring with automated alerting. Security incident response procedures documented and tested quarterly.
- Backup: Encrypted backups with geographic redundancy. Recovery point objective (RPO): 1 hour. Recovery time objective (RTO): 4 hours.
7. Compliance Framework Support
The VPC Platform architecture supports compliance with the following frameworks. Specific compliance certifications available upon request.
Security Contact
For security inquiries, vulnerability reports, or to request detailed security documentation:
security@vpcplatform.com
PGP key available at /security/pgp-key.txt