Security

Your pricing data is sensitive. We treat it that way.

VantageDash is built with defense-in-depth security — from database-level tenant isolation to automated vulnerability scanning in CI. Our controls are aligned with the NIST 800-53 Rev. 5 framework.

NIST 800-53 controls mapped

Control families covered

2,250+

Automated tests

CI security scan layers

What we implement

Tenant isolation at the database level

Every query is scoped by Row Level Security (RLS). The database itself refuses to return another tenant's data — no application code path can bypass it.

Encrypted credentials at rest

Third-party tokens (Shopify, etc.) are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before storage. Unique IV per token — identical secrets produce different ciphertext.

Security headers on every response

HSTS with 1-year preload, strict CSP, X-Frame-Options DENY, no MIME sniffing, and no-store cache control. Both frontend and API enforce these.

Audit trail on every mutation

All POST/PUT/PATCH/DELETE requests generate structured logs with UUID request IDs, SHA-256 body hashes, and automatic sensitive field redaction.

Tiered rate limiting

Token-bucket rate limiting per IP: 120/min reads, 30/min mutations, 10/min auth, 5/min deletions. Deliberate friction on destructive operations.

Role-based access control

Four roles (owner, admin, member, viewer) with endpoint-level enforcement. Sensitive operations require owner or admin privileges.

Hardened container deployment

Non-root execution, minimal base image, build tools purged after compilation, pinned dependencies for reproducible builds.

Five layers of automated scanning

Gitleaks (secrets), Trivy (container CVEs), CodeQL (SAST), OWASP ZAP (DAST), and license compliance — all running in CI.

Software Bill of Materials

Every build generates SBOMs via CycloneDX and Syft, covering Python packages, npm dependencies, and the container image. Retained for 90 days.

License compliance enforcement

Builds fail automatically if a copyleft-licensed dependency is introduced. No accidental GPL exposure in a SaaS product.

NIST 800-53 Rev. 5 alignment

We map our security controls to the same framework used by U.S. federal agencies. This is a self-assessed alignment — not a third-party certification — but every control listed here is implemented in our codebase today.

Access Control (AC) — RLS, least-privilege containers, RBAC

Audit & Accountability (AU) — structured logging, request tracing, non-repudiation

Security Assessment (CA) — 2,250+ automated tests, DAST, fuzzing

Configuration Mgmt (CM) — hardened Docker, dependency pinning, SBOM

Identification & Auth (IA) — JWT validation, brute-force resistance

System & Comms Protection (SC) — HSTS, CSP, Fernet encryption, rate limiting

System Integrity (SI) — secrets scanning, input validation, fault tolerance

Supply Chain (SR) — Dependabot, SBOM provenance, license compliance

Contingency Planning (CP) — degraded-mode startup, chaos testing

Risk Assessment (RA) — CodeQL, Trivy, Dependabot scanning

Transparency, not marketing

We don't claim SOC 2 or ISO 27001 certification — those require formal third-party audits. What we do have is a documented, tested, and continuously enforced security posture that aligns with NIST 800-53 controls. Every practice on this page exists in our codebase and CI pipeline today.

For a deeper technical walkthrough, read our security architecture blog post. If security matters to your team, we're happy to walk through any of these controls in detail.