verified_userSecurity & Compliance

Trust by Architecture, Not by Promise

Ven Marketplace is built for the regulated insurance industry — data isolation at the database layer, AI processing without persistent storage, and a clear path to SOC 2 Type II and ISO 27001 certification.

What's in Place Today

shield_lock
Clerk SOC 2

Authentication & Identity

JWT-based auth verified at the edge on every request. Short-lived sessions and cryptographically validated webhooks.

database
Supabase SOC 2

Row-Level Security (RLS)

PostgreSQL RLS enforced on all tables. Organizations can only access their own data — enforced at the database layer.

lock
AES-256

Encryption in Transit & at Rest

TLS 1.3 via Vercel edge. AES-256 at rest on database and document storage.

dns

Server-Side Processing

All API secrets, AI calls, and database queries run server-side. No credentials or sensitive logic ever reach the browser.

groups

Organization-Scoped Access Control

RBAC across four org types. Every endpoint verifies organization membership before returning any data.

forum

Moderated Communications

All messages pass admin approval before delivery. Role-based visibility fields control who sees what, per message.

folder_supervised
Box SOC 2

Isolated Document Storage

Per-project folder trees on Box.com with downscoped access tokens. Full document version history preserved.

smart_toy

AI Data Isolation

Strict per-project AI indexes with namespace isolation — no cross-project data leakage. AI inference is stateless; no document content is retained between sessions.

history

Audit Trail Preservation

Messages never hard-deleted. Document versions preserved with full chains. Form submissions logged with IP and user agent.

http

HTTP Security Headers

X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS enforced on every response. Content Security Policy scoped to active services.

speed
Upstash

API Rate Limiting

Two-tier protection via Upstash Redis: IP-based flood guard at the edge (200 req/min) and per-user quota on AI inference endpoints (20 req/min).

Architecture at a Glance

Data Flow
  • User authenticates via Clerk (JWT)
  • Middleware verifies token on every request
  • All API routes execute server-side
  • Database enforces RLS — org-scoped access
  • Documents stored in isolated Box.com folders per project
  • AI processes via per-project index — no cross-contamination
Key Design Principles
  • Multi-tenant with database-level isolation (RLS)
  • Moderated messaging — admin approval before delivery
  • Soft-delete with full audit trail preservation
  • Document versioning with complete history
  • Role-based visibility on every data access path
  • All infrastructure providers independently SOC 2 certified

Compliance Roadmap

shield

Compliance Automation & Trust Center

Continuous infrastructure monitoring via Vanta. Public Trust Center with real-time posture and downloadable security artifacts.

delete_sweep

GDPR & CCPA Data Subject Rights

GDPR + CCPA

Data export, Right to Erasure with PII anonymization, California opt-out, and consent management — balanced against regulatory retention.

hub

Zero-Data Retention (ZDR) AI

Migration to enterprise-tier AI infrastructure (Google Vertex AI or AWS Bedrock) where prompts are instantly vaporized post-inference. Data is mathematically barred from abuse-monitoring logs and foundational model training.

inventory_2

Immutable Audit Logging & SIEM

Append-only audit log for all platform actions — document access, admin decisions, data changes — streamed to SIEM.

verified_user

SOC 2 Type II Certification

SOC 2 Type II

Formal audit covering Security, Availability, Confidentiality, and Processing Integrity trust service criteria.

gavel

NYDFS Part 500 Alignment

NYDFS

MFA enforcement, written asset inventory, and third-party risk management for clients operating under NY insurance licenses.

mail

Secure Email Ingestion

Zero-trust push ingestion via dedicated submission aliases — air-gapped from client networks. Built on highly scalable cloud infrastructure to handle 50MB+ insurance payloads and complex multi-attachment deals without requiring direct access to corporate email servers.

policy

ISO 27001:2022 Certification

ISO 27001

ISMS certification with continuous third-party auditing against international standards.

psychology

ISO 42001 — AI Management System

ISO 42001

The world's first international AI management standard — risk governance, transparency, fairness, and ethical safeguards.

Enterprise Security

workspace_premium

Ven Enterprise

Custom infrastructure for regulated institutions

dns

Dedicated Single-Tenant Infrastructure

Physically isolated database, compute, and storage. No shared resources, no cross-tenant risk.

key

BYOK Crypto-Shredding

Bring Your Own Key via GCP KMS or Azure Key Vault. Revoke the key to instantly render all data unreadable.

hub

Custom AI Provider & ZDR SLAs

Choose your model (Azure OpenAI, AWS Bedrock, Vertex AI, or self-hosted) with contractual Zero-Data Retention guarantees.

mail_lock

Microsoft 365 / Google Workspace Pull Ingestion

Scoped OAuth access to a single shared inbox, restricted via RBAC for Applications. Mathematically cannot read employee emails.

folder_zip

Box Enterprise Email Upload

Each project VDR folder assigned a dedicated @upload.box.com alias. Brokers email attachments directly — no size limits, no custom SMTP receiver, files land in the right deal folder automatically.

admin_panel_settings

Privileged Access Management (PAM)

JIT engineering access with ticket-based approval, time-bombed credentials, and every query streamed to your SIEM.

location_on

Data Residency & Geo-Fencing

Dedicated infrastructure in EU, US, or APAC with strict geo-fencing for data sovereignty requirements.

description

Custom BAA / HIPAA

Business Associate Agreements and HIPAA-eligible infrastructure for health-adjacent insurance lines.

handshake

Dedicated Security Contact & SLA

Named liaison, custom incident response SLAs, annual pen test reports, and priority vulnerability disclosure.

contact_mailContact Enterprise Sales

Infrastructure & Sub-Processors

ProviderRoleSOC 2ISO 27001GDPR
VercelHosting & Edge Networkcheck_circlecheck_circlecheck_circle
SupabaseDatabase (PostgreSQL + RLS)check_circleremovecheck_circle
ClerkAuthentication & Identitycheck_circleremovecheck_circle
Box.comDocument Storage & Previewcheck_circlecheck_circlecheck_circle
Google Cloud (Gemini)AI Processing & FileSearchStore Indexcheck_circlecheck_circlecheck_circle
SendGrid (Twilio)Transactional Emailcheck_circlecheck_circlecheck_circle
PostHogProduct Analytics & Session Replaycheck_circleremovecheck_circle
UpstashEdge Rate-Limiting (Redis)check_circleremovecheck_circle

Policies

privacy_tip

Privacy Policy

How Ven collects, uses, retains, and shares personal information — with CCPA/CPRA, GDPR, and UK GDPR addenda.

description

Terms of Service

The agreement that governs use of the platform — Ven is a tech/SaaS provider, not a licensed broker, insurer, or advisor.

Questions?

Security inquiries, vendor questionnaires, or requests for detailed security documentation.

maildaphne@vencover.com