Security & Infrastructure
How VulpaSoft protects your data at every layer of the stack.
Encryption in Transit
All data is transmitted over TLS 1.2+. The tracking script communicates with our API exclusively over HTTPS. No plaintext data ever touches the wire.
Encryption at Rest
All stored data is encrypted at rest using AES-256. Database backups, event logs, and session recordings are all encrypted.
Automatic PII Masking
Form inputs, email addresses, and sensitive text are masked before data leaves the browser. This happens client-side, so PII never reaches our servers.
Daily-Rotating Hash
Session identification uses a SHA-256 hash with a daily-rotating salt. The hash cannot be reversed, and it becomes meaningless after 24 hours.
IP Address Handling
IP addresses are used only for hash computation and are never stored in raw form. The SHA-256 hash is irreversible — we cannot recover the original IP.
Access Controls
Project data is isolated per account. Team members access only their assigned projects. No VulpaSoft employee accesses customer data without explicit request.
Incident Response
In the unlikely event of a security incident, we follow a documented incident response plan. Affected customers will be notified within 72 hours as required by GDPR Article 33. Our DPO can be reached at dpo@vulpasoft.com.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@vulpasoft.com. We appreciate responsible disclosure and will acknowledge your report within 48 hours.