Security and data protection

Last updated: April 27, 2026

1. Our security approach

VetScan handles personal information about you and health information about your dog. We treat both as sensitive. This page documents what we do to protect that data and how to report security issues.

2. Encryption

• In transit: All connections use TLS 1.3 (the latest version of HTTPS). The site is served exclusively over HTTPS — HTTP redirects automatically.
• At rest: All stored data is encrypted at rest using AES-256, the same encryption standard used by US government for classified data.
• Database backups: Encrypted with separate keys, stored in geographically distinct locations.

3. Infrastructure

We rely on infrastructure providers with strong security postures:

• Hosting: Vercel — SOC 2 Type II compliant, ISO 27001 certified, runs on a global CDN with DDoS protection
• Email: Google Workspace — SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, FedRAMP
• Domain & DNS: Namecheap with DNSSEC available; CDN traffic routed through Cloudflare
• Database (post-launch): A SOC 2 Type II-certified provider; vendor selection in progress (target: Q2 2026)

4. Access controls

• Two-factor authentication required on all team accounts (Google Workspace, GitHub, Vercel, hosting)
• Principle of least privilege — team members only have access to what they need to do their job
• Audit logs for sensitive operations (admin actions, data exports, key rotations)
• Regular access reviews — at minimum quarterly, more often during team changes

5. Privacy by design

• Minimal data collection — we collect only what's needed for the service to work
• Anonymous triage option — basic triage requires no account; you can use the tool without creating an identity record
• Auto-deletion of inactive accounts after 24 months
• Data export available on request — you can request your data and take it elsewhere
• No third-party advertising trackers — we do not embed Facebook Pixel, Google Ads, or similar trackers without explicit consent (cookie banner)

6. Compliance

• GDPR — compliant; full Data Processing Agreement (DPA) available on request for B2B partners
• CCPA — compliant for California residents; "Do Not Sell" link in footer (we don't sell data either way)
• SOC 2 Type II — audit in progress; target completion Q3 2026
• HIPAA — formally not applicable (HIPAA covers human medical data, not pet); however, we voluntarily apply equivalent administrative, physical, and technical safeguards

7. Vulnerability disclosure program

If you discover a security vulnerability, please report it responsibly:

• Email: hello@vetscan.app with subject line "Security: [vulnerability summary]"
• What to include: a description of the vulnerability, steps to reproduce, and (if possible) suggested mitigation
• Our commitment: we acknowledge within 48 hours, triage within 5 business days, and provide a status update at least every 14 days until resolution
• Disclosure window: we ask researchers to allow 90 days before public disclosure; we will work with you to fix issues faster when severity warrants
• Machine-readable contact: we publish security.txt per RFC 9116
• Full policy & rules of engagement: SECURITY_POLICY.md (scope, severity rubric, safe harbor)
• Recognition: with your permission, we list valid reports on our public security log; bounty program in development

8. Incident response

• We commit to 72-hour breach notification in line with GDPR Article 33
• We will notify affected users individually for any breach involving personal data
• We maintain a public security log on this page (see below)

Public security log: No reportable incidents to date. This log is updated within 30 days of any qualifying event.

9. Third-party processors

We use a limited set of vetted processors:

Marketing email and analytics processors (e.g., Kit/ConvertKit, Plausible/GA4) will be added to this list before they are integrated.

10. Contact

• Security vulnerabilities: hello@vetscan.app (subject: Security)
• Privacy and data requests: privacy@vetscan.app
• General questions: hello@vetscan.app