Enterprise-Grade Security
VynFi is built with defense-in-depth security from day one. Every layer of our infrastructure is designed to protect your data and meet the most demanding compliance frameworks.
Data Protection
Encryption everywhere, no exceptions
Encryption at Rest
- AES-256Azure platform-managed encryption for all storage and database volumes
- Blob SSEServer-Side Encryption for object storage
- Key VaultCentralized secret and key management with access policies
Encryption in Transit
- TLS 1.2+All external connections require TLS 1.2 or higher
- SSL RequiredEnforced SSL for all database and cache connections
Network Architecture
Zero-trust networking with defense-in-depth
Never Trust
Every request is authenticated and authorized regardless of network origin. No implicit trust for any actor.
Least Privilege
Identities receive the minimum permissions needed. Service accounts use workload identity with scoped RBAC.
Assume Breach
Architecture limits blast radius. Network segmentation via dedicated subnets and continuous monitoring contain threats.
VNet Topology
Subnet segmentation within the VynFi Azure Virtual Network
| Subnet | CIDR | Purpose |
|---|---|---|
| AKS System | 10.0.0.0/22 | Kubernetes system node pool and control plane |
| AKS Workload | 10.0.4.0/22 | Application workload pods and services |
| Data Services | 10.0.8.0/24 | PostgreSQL, Redis, and storage accounts |
| API Management | 10.0.9.0/24 | API gateway and management services |
| Private Link | 10.0.10.0/24 | Private endpoints for Azure PaaS services |
DDoS Protection
Azure Front Door provides built-in DDoS mitigation for all public-facing endpoints. Infrastructure-level protection against volumetric and protocol attacks.
CORS Policy
Strict origin allowlisting on all API endpoints. Credentials, methods, and headers are explicitly configured per-route. Wildcard origins are never permitted.
API Key Security
Defense-in-depth for every API credential
Argon2id Hashing
API keys are hashed using Argon2id with per-key salts. Raw keys are never stored or logged.
OAuth2 Scopes
Fine-grained permission scopes: generate:write, jobs:read, catalog:read, usage:read, admin:all.
IP Allowlisting
Restrict API key usage to specific IP addresses or CIDR ranges. Available on Team tier and above.
GitHub Secret Scanning
GitHub secret scanning partnership planned. Leaked API keys in public repos will be automatically revoked.
Test Keys
vf_test_ prefixed keys generate synthetic data with zero credit cost. No production data exposure.
Multi-Tenancy Isolation
Structural guarantees that tenant data never crosses boundaries
Query Scoping
Every database query is automatically scoped by tenant_id via row-level security policies.
Storage Isolation
Generated files use tenant-scoped paths. Cross-tenant access is structurally impossible.
Rate Limiting
Per-tenant rate limits enforced at the API gateway. Noisy neighbor prevention built in.
Cache Isolation
Redis key prefixes ensure tenant cache isolation. No data leakage between tenant sessions.
Compliance
Regulatory alignment and certification roadmap
GDPR
ActiveCompliance with EU General Data Protection Regulation. Data processing agreements, right to erasure, and data portability supported.
Swiss FADP
ActiveCompliance with the Swiss Federal Act on Data Protection (DSG). As a Swiss company, VynFi is subject to FADP requirements.
EU AI Act Article 50
ActiveSynthetic data labeling and transparency obligations met. Generated datasets carry provenance metadata.
SOC 2 Type II
In ProgressPlanned. Infrastructure is being aligned with Trust Service Criteria for Security, Availability, and Confidentiality.
ISO 27001
In ProgressPlanned. Information Security Management System targeted for a future phase.
SOC 2 Control Mapping
How VynFi infrastructure maps to Trust Service Criteria
| Control ID | Control Name | VynFi Implementation |
|---|---|---|
CC6.1 | Logical Access | Microsoft Entra External ID + RBAC + API key scopes |
CC8.1 | Change Management | GitHub PR reviews + Flux CD GitOps |
CC7.1 | System Monitoring | Azure Monitor + Log Analytics + metric alerts |
CC7.3 | Vulnerability Management | Trivy + Dependabot + DAST scans |
CC6.7 | Data Encryption | TLS 1.2+ in transit, AES-256 at rest |
A1.2 | Recovery Procedures | Azure Backup + geo-redundant failover |
Security Operations
Continuous security testing across the development lifecycle
Container Scanning
Trivy scans container images for CVEs before deployment.
Dependency Scanning
Dependabot and cargo-audit for Rust and npm dependency monitoring.
Static Analysis
Clippy and ESLint run on every pull request.
Dynamic Testing
OWASP ZAP DAST scans against staging environment.
Penetration Testing
Third-party penetration testing planned for general availability.
SBOM
Software Bill of Materials generated in CycloneDX format.
Incident Response
Structured 6-step process for security incident handling
Detect
Automated alerting from Azure Monitor and Log Analytics
Triage
On-call engineer assesses severity and impact scope
Contain
Isolate affected systems and revoke compromised credentials
Eradicate
Remove threat vectors and patch vulnerabilities
Recover
Restore services and verify integrity from clean backups
Review
Blameless post-mortem published within 72 hours
Audit Logging
Complete, immutable records of every action
Complete Coverage
Every API call, auth event, and admin action logged
Immutable
Append-only log storage with tamper-evident checksums
365-Day Retention
Full audit trail retained for one year minimum
SIEM Ready
Structured JSON logs exportable to any SIEM platform