Venvee — Security Overview

We protect your data

All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.

Your data is sent using HTTPS

Whenever your data is in transit between you and us, everything is encrypted and sent using SSL over TLS. Within our firewalled private networks, data may be transferred unencrypted.

Any files which you upload to us are stored and are encrypted at rest. Our application data stores are encrypted at rest with Venvee-managed elliptic-curve and RSA keys (the former preferred where possible). Our database backups are encrypted in the same manner, using separate keys.

Full redundancy for all major systems

Our servers — from power supplies to the internet connection to the air purifying systems — operate at full redundancy. Our systems are engineered to stay up even if multiple servers fail.

Regularly-updated infrastructure

Our software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored. While perfect security is a moving target, we work with security researchers to keep up with the state-of-the-art in web security and implement best practices.

We protect your billing information.

All credit card transactions are processed using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on an independent PCI-Compliant network serviced by Stripe. We do not store your credit card information, and thus are not responsible for maintaining PCI compliance.

Constant monitoring

We have a team dedicated to maintaining your account’s security on our systems and monitoring tools we’ve set up to alert us to any nefarious activity against our domains. To date, we’ve never had a data breach.

We also carefully audit internal data access. If a Venvee employee wrongly accesses customer data, they will face disciplinary action in accordance with Venvee’s data policies. We have processes and defenses in place to keep our streak of zero data breaches going. But in the unfortunate circumstances someone malicious does successfully mount an attack, we will immediately notify all affected customers and partners.

World-class security team

Security isn’t just about technology — it’s about trust. In an age where a single person can disrupt billion-dollar corporations with the press of a button, there’s no margin for taking risks or cutting corners. With the help of our security-minded experts and teams, we’ve worked hard to earn the trust of our clients worldwide. We’ll continue to work hard every day to maintain that trust. Longevity and stability is core to our mission at Venvee.

Want to know more?

We’ve got three pages of additional details in our security overview for you below.

Have a concern? Need to report an incident?

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please visit our security response page for details on how to securely submit a report.

Introduction

Keeping customer data safe and secure is a huge responsibility and a top priority for Venvee. We work hard to protect our customers from the latest threats. We store all our own sensitive information on the same servers our customers do. We don’t want our information compromised, so we’re motivated by self-preservation as well. Aligning our goals with your goals is the best way to see eye-to-eye on the need to keep everything as secure as we can.

Access control and organizational security

Relevant Policies

Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity/Disaster Recovery Plans
Code of Conduct
Data Classification, Retention, and Protection Policies
Encryption and Password Policies
Incident Response Plan
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Management Policy
Vendor Management Policy
Vulnerability Management Policy

Personnel

All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data. Background checks are performed on all workers. Everybody at Venvee is trained and made aware of security concerns and best practices for their systems, and must agree to all relevant policies. Remote access to servers is via our VPN using two factor authentication, and limited to workers who need access for their day to day work. Production servers are guarded via a just-in-time (JIT) request system, monitored and managed on a need-to-know basis. We log all access to all accounts by IP address, user, and operation.

We harden all computers used by Venvee workers with Google Workspace company hardware integration, as well as via the Drata Agent. It ensures that everyone at Venvee has a secured environment, and audits that environment daily. We additionally provide Mobile Device Management (MDM) technology through Google Workspace, to provide a secure work profile to compatible devices.

Dedicated teams

Our Cloud team and our Security team are in charge of access/identity management, network connectivity, firewalls and log file management. These two teams’ responsibilities include:

Maintain and support our automated test suite for development machines
Review all changes to the code and infrastructure to ensure they follow best practices and security guidelines (such as NIST and OWASP)
Build out, operate, and maintain product infrastructure, including logs, monitoring and authentication
Review, test and design incident response processes
Respond to alerts triggered by any security events
Coordinate external audits and security and privacy certifications
Monitor and alert on anomalous activity
Coordinate vulnerability and penetration testing with external security researchers
Implement and roll out app-level encryption and tools to protect customer data internally

Audits, Security Policies and Standards

Venvee itself has not completed a SOC 2 audit, but is actively working with Drata, an independent security & compliance platform, to attain SOC 2 Type I + II certification. We can refer you to our cloud providers’ SOC reports for the data centers we use on request. We leverage Google Workspace tools and our cloud provider’s tools and services to routinely monitor and automatically block suspicious activity (including vulnerability scanning, failed logins, and a host of other anomalous/suspicious activities). We also have alerts in place for excessive resource use that escalates to our Cloud team for manual investigation. Our products run on a dedicated network secured with firewalls and are carefully monitored with automation and reports, from the edge to the cloud.

Data protection and privacy

Our overall privacy policy is available at https://venvee.com/privacy. Some highlights:

Data location

Our primary data centers are in the United States, in Chicago and Ashburn, Virginia. We primarily use Amazon AWS and Google Cloud. All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is updated regularly with the latest security patches, and are routinely vulnerability-scanned and pen-tested for any notified findings that are then immediately remediated.

Encryption in-transit, at-rest and at-work

We offer encryption in-transit and at-rest for all of our services. Over public networks we send data using strong encryption. We use SSL certificates issued by Amazon, Inc. The connection uses RSA 2048 for encryption, with SHA2 for message authentication and RSA as the key exchange mechanism. You can check our currently supported ciphers here: https://www.ssllabs.com/ssltest/analyze.html?d=venvee.com&latest

Any files which you upload to us are stored and encrypted at rest. Our storage system uses a combination of AES-256/ SHA-256 and elliptic-curve encryption. Files are encrypted with AES-256, sliced, replicated, and geographically dispersed to separate data centers on private, end-to-end encrypted network connections. Our application data and backup stores are encrypted at rest with Venvee-managed elliptic-curve and RSA keys (the former preferred where possible). All passwords are hashed and salted using BCrypt with a cost factor of 10.

Product security

For any provisioned product devices, we make a best effort to engineer the device against physical intrusions, including local or software access. All devices are pre-configured using our cloud provider’s secure IoT control plane. The only thing the device requires is outbound HTTPS connections to AWS endpoints and relevant software package repositories (we have curated the specific list of endpoints we require per-product). No endpoints or inbound-first connections are exposed or allowed to the device.

The device is encrypted and its kernel, firmware, and operating environment (including firewalls) are hardened according to the latest NIST and OWASP standards (including NISTIR 8176 and 8259A), which is validated before deployment. All runtime images are vulnerability-scanned in our container repositories, and source code is SAST-tested and version-escrowed for security during our continuous integration/deployment DevOps procedures. Device component version and configuration changes are explicitly paper-trailed. We perform routine penetration testing leveraging open-source tools, and take action to immediately resolve any findings.

The device operating environment and firmware check for and automatically fetch updates on a daily basis via the manufacturer-owned and managed package repository, with MD5 checksum validation. We have the ability to trigger updates more immediately if a critical security vulnerability is patched and notified.

We additionally have an Incident Response Plan and Disaster Recovery Plan in place to handle any incidents or disasters on our end, in the event either occurs.

AWS

Access is tightly controlled through the encrypted AWS IoT connection over SSL/TLS that the device establishes, with AWS handling IoT certificate validation and authentication at every step. We disable local logins when the device is deployed to the edge and maintain per-device credentials in secure cloud vaults, in the event that remote servicing is required from our cloud through the secure connection. Remote servicing involves establishing a remote shell connection through a forwarded, authenticated proxy via the AWS IoT control plane. Such access is paper-trailed by the vaults, device logs, and IoT control plane for auditing.

All application, system, and network logs for the device are forwarded to CloudWatch and CloudTrail for consistent daily monitoring, and alerts are configured to flag suspicious metrics. We also use AWS Device Defender to explicitly monitor for abnormal or suspicious device activity, which forwards events and triggers alerts in the same manner for auditing and review.

Law enforcement

Venvee won’t hand your data over to law enforcement unless a court order says we have to. We flat out reject requests from local and federal law enforcement when they seek data without a court order. And unless we’re legally prevented from doing so, we’ll always inform you when we receive such requests.

Data deletion

For all of our services, all of your content will be inaccessible immediately upon cancellation, except where otherwise legally bound (e.g., in contracts with specific terms). Within 30 days of cancellation, all of your user data in the relevant service will be permanently deleted from all servers and logs. This information can not be recovered once it has been permanently deleted. We also keep backups stored off-site for a maximum of 30 additional days. Therefore, after cancellation, all user data will be permanently deleted from backups within 60 days.

Incident management and disaster recovery

We practice regular recovery drills in accordance with our Incident Response Plan and Disaster Recovery Plan, where we test diverse disaster and failure scenarios. We perform hourly backups of all databases and files are backed up automatically after they are uploaded, unless otherwise stated. For Quill, due to the volume of handled data, the minimum granularity is daily backups.

Our backups are tested on a regular basis and are stored off-site for a maximum of 30 days. We have procedures for triaging and responding to incidents managed by our dedicated Cloud and Security teams. For more information, see our Security Response. In the event of an incident, we would contact your account owner within 24 hours, and work with you to keep you informed throughout.