Security

Change Records, evidence, templates, approvals, activity events, and related packet data are scoped to an organization. Authenticated users should only be able to access data that belongs to their organization.

VDECK includes role-based access controls for organization users. Owners can manage billing and team settings, while other roles have narrower access based on product permissions.

Passwords are hashed before storage. Browser sessions use HTTP-only cookies, and production deployment is configured to require secure cookies over HTTPS.

Team invite and password reset flows use token-based links with expiration. Password reset tokens are intended for single-use account recovery.

Evidence files are not served as a public static directory. Upload, preview, and download requests go through authenticated API routes and organization checks.

Billing checkout and subscription management are handled by Stripe. VDECK stores billing identifiers needed to connect an organization to its Stripe customer or subscription, but does not store full card numbers.

Production deployment guidance includes Postgres and uploads backup scripts, restore procedures, cron examples, and backup verification guidance. Operators should store backups outside the application server and periodically test restores.

If you believe you found a security issue, contact contact@faultlinesystems.com. Please include enough detail to reproduce the issue and avoid accessing, modifying, or deleting data that does not belong to you.

VDECK is not currently SOC 2 certified. VDECK does not currently claim HIPAA, ISO, GDPR, or other regulatory certification.