How we protect your data and your users' data. Enterprise-grade infrastructure, encryption everywhere, zero permanent storage of sensitive birth data.
Built on Google Cloud Platform with enterprise-grade security at every layer.
Hosted on GCP (us-central1) with Cloud Run for automatic scaling and container isolation. Each request runs in an isolated environment.
HTTPS with TLS 1.3 for all data in transit. Data encrypted at rest using Google-managed encryption keys. No unencrypted connections accepted.
All API keys are hashed with SHA-256 before storage. Plaintext keys are never stored in our systems. Rate limiting per key prevents abuse.
No shared infrastructure between customers. Each API request is processed in an isolated container with its own resource allocation.
Per-API-key rate limiting protects against abuse and ensures fair resource allocation. Configurable limits available on Enterprise plans.
Infrastructure scales automatically to handle traffic spikes. No single points of failure. Automatic failover across multiple zones.
We handle sensitive birth data with strict policies designed to minimize retention and maximize privacy.
Birth data is processed in real-time and used only for the requested calculation. We do not store birth chart queries or results permanently.
API logs are retained for 30 days for debugging and monitoring purposes, then permanently deleted. Logs contain request metadata, not full birth data payloads.
No birth data or API queries are used for training or fine-tuning Vedika AI models. Your users' data stays out of model training pipelines entirely.
Users can request deletion of any stored data by contacting support@vedika.io. We process deletion requests within 30 days.
Multi-layered authentication ensures only authorized users access your resources.
All API requests require a valid key (format: vk_live_*). Keys are scoped to individual projects for granular access control.
API keys can be rotated anytime from the developer console. Old keys are invalidated immediately upon rotation. No downtime required.
Failed authentication attempts are rate-limited to prevent brute-force attacks. Repeated failures trigger temporary lockouts.
Administrative access requires multi-factor authentication with custom security claims. No shared passwords or API keys across team members.
Each API key is scoped to a single project. Compromising one key does not affect other projects or customers.
All authentication events are logged with timestamps, IP addresses, and request metadata for compliance and forensic analysis.
We take regulatory compliance seriously and are actively pursuing industry certifications.
We process data on behalf of our customers under the data processor model. Our customers are the data controllers responsible for obtaining user consent.
All data is currently processed and stored in the United States (us-central1, Iowa).
We are actively working toward SOC 2 Type II certification.
In Progress — Target: Q3 2026
ISO 27001 certification is on our compliance roadmap.
Planned
We take security reports seriously and respond quickly to protect our customers.
Found a security vulnerability? Report it responsibly.
Include a detailed description, steps to reproduce, and potential impact.
Our security team will review your report and confirm receipt.
We prioritize critical vulnerabilities and deploy fixes as fast as possible.
We do not currently operate a bug bounty program. We appreciate responsible disclosure and will credit reporters (with permission) in our security advisories.
Built for high availability with redundancy at every layer.
Our target uptime SLA. Enterprise plans include contractual guarantees with financial credits.
Deployed across multiple availability zones for redundancy. No single point of failure.
Automatic failover to healthy instances when issues are detected. Zero manual intervention required.
Common questions from security and compliance teams.
No. Birth data is processed in real-time to generate the requested calculation, then discarded. We do not permanently store birth chart queries, birth dates, birth times, or calculation results. API logs contain request metadata (timestamps, endpoint paths, response codes) but not full birth data payloads.
Yes. We provide Data Processing Agreements for customers who need them for GDPR or other regulatory compliance. Contact enterprise@vedika.io to request a DPA.
All data is processed in Google Cloud's us-central1 region (Iowa, United States). For Enterprise customers with data residency requirements, we offer deployment in Asia (Mumbai). Contact us to discuss regional deployment options.
No. Vedika AI models are not fine-tuned or trained on customer data. Your API queries, birth data, and calculation results are never fed back into any model training pipeline. Vedika AI models are trained on publicly available astrological texts and data only.
Our team is ready to discuss your security requirements, provide documentation, or schedule a security review.