What we do today. What we have not done yet.

Encryption

• TLS 1.2 or higher for every connection between you, our servers, and our sub-processors, enforced at the edge by our Caddy reverse proxy with automatic HTTPS.
• OAuth tokens and other secrets are encrypted with AES-256-GCM, and off-site backups are encrypted. We run our own PostgreSQL and Redis rather than third-party managed data services.
• Discord bot tokens are encrypted before they touch the database. Plain-text tokens never get written to logs.

Network and hosting

• Hosted on a dedicated virtual private server. The database and cache are bound to a private internal network with no public ingress.
• TLS terminates at our Caddy reverse proxy; only the proxy is exposed to the public internet.
• Secrets are supplied through environment configuration and held in memory; the token-encryption key is never written to logs.

Code and dependencies

• TypeScript end to end, strict mode, no `any` in production paths.
• Static analysis (ESLint, type checking) and dependency scanning run in CI on every change.
• Renovate-style automated dependency updates with the security advisory feed.

Access

• Today the engineering team is one person (Hydra). Production access is single-name and protected with two-factor authentication.
• Every production action is recorded in an append-only audit log that any future teammate inherits read access to.
• OAuth scopes from Discord are minimal: identify, email, and guilds. We never request bot administrator or message intent we do not use.

Data handling

• Sub-processors are listed in plain text in our DPA and Privacy Policy. We will email customers thirty days before any change.
• AI providers (OpenAI, Anthropic) operate under contract terms that prohibit training their foundation models on customer prompts.
• You can request export or deletion of everything your server has stored at any time by emailing privacy@vantasupport.com; we action it within thirty days.

Backups and recovery

• Encrypted automated backups taken daily to off-site object storage (Cloudflare R2) on a rolling fourteen-day window.
• Documented restore procedure. We have done a successful test restore. We are not yet promising an SLA-grade RPO or RTO.
• Service-side rate limits and per-server quotas prevent a runaway dependency or abuser from taking down other tenants.

Where is data stored?

On our own PostgreSQL on a dedicated virtual private server, with encrypted backups to Cloudflare R2. AI prompts go to our AI providers (OpenAI for embeddings, Anthropic for replies) in the United States under contractual terms.

Is the bot token encrypted?

Yes. On the Premium plan you bring your own Discord bot token. It is encrypted before it is written to the database, decrypted only in memory when the bot connects to Discord, and never written to logs.

Do you use customer data to train models?

No. Our contractual terms with each AI sub-processor prohibit training on customer prompts, and we do not derive training datasets from your messages on our own side either.

Who has access to production?

Today, one person: Hydra, the engineering co-founder. Access is protected with two-factor authentication and every action is logged. As the team grows we will add named roles, and the access boundaries already exist in the audit log to enforce that.

How do I report a vulnerability?

Email security@vantasupport.com with the details. We will triage and acknowledge within one business day. Good-faith research is covered by the safe harbor clause in our Terms of Service.

Can I get a security questionnaire response?

Yes, but the honest version. We will answer your vendor questionnaire with what we actually have in place today and what is planned. We are not going to claim a SOC 2 we have not earned.