Security

    Last updated

    1. Our Security Posture

    VenturOS is built for solo builders, micro-SaaS operators and vibe coders building real businesses who want leverage without giving up control of their work. Security is not a feature we bolted on — it's the foundation we ship on.

    2. Repository Access

    Read-only by default. When you connect a GitHub repository, VenturOS requests scoped, read-only access. We do not write to your repo, push commits, open pull requests, comment on issues, or modify any files.

    • OAuth scopes are limited to repo read access. We never request write or admin permissions.
    • You can revoke access at any time from your GitHub settings or from inside VenturOS.
    • Disconnecting purges your repository context from our systems within 24 hours.

    3. AI & Your Data

    Your code and business data are never used to train AI models.

    • We contractually prohibit our AI providers from training on your data.
    • Your inputs and the resulting outputs are processed only to fulfill your specific requests.
    • You retain full ownership of your inputs and the AI-generated outputs.

    4. Encryption

    • In transit: All traffic between your browser, our infrastructure, and our service providers uses TLS 1.2 or higher.
    • At rest: Customer data is encrypted at rest using AES-256.
    • Secrets: API keys, OAuth tokens, and service credentials are stored in a managed secret store, never in plain text and never in source code.

    5. Authentication & Access Control

    • Account authentication is handled by a managed identity provider with industry-standard hashing for any password material.
    • Session tokens are scoped, rotated, and short-lived.
    • Internal employee access to production data is limited to need-to-know, audited, and granted on a temporary basis only when required for support.

    6. Sub-Processors

    VenturOS relies on a small set of vetted sub-processors to deliver the service:

    Sub-processorPurposeRegion
    Managed backend platformDatabase, auth, storage, edge functionsEU / US
    AI inference gatewayRouted access to leading LLM providersUS
    Cloud hosting (CDN & edge)Static asset delivery, edge runtimeGlobal
    Email transactional providerAccount and product emailEU
    Error and performance monitoringCrash reports, latency, tracesEU / US

    All sub-processors are bound by data processing agreements that require them to maintain appropriate security measures and process your data only on our instructions.

    7. Data Residency

    Customer data is stored primarily in the EU and the US, depending on the sub-processor. We are evaluating regional residency options for enterprise customers. If you have specific residency requirements, contact hello@ventur-os.com.

    8. Vulnerability Reporting

    We welcome responsible disclosure. If you believe you have found a security issue in VenturOS, please email hello@ventur-os.com with details and reproduction steps. We commit to responding within 72 hours.

    Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

    9. Compliance Roadmap

    VenturOS is in early access. We are actively building toward formal certifications:

    • SOC 2 Type II — engagement planned for 2026.
    • GDPR alignment — see our Privacy Policy for current commitments.
    • ISO 27001 — under evaluation for 2027.

    10. Contact

    Security questions, sub-processor lists for procurement, or DPA requests: hello@ventur-os.com.