Concrete security information, without pretending the platform is something it is not.
Vertapass is built on modern cloud infrastructure with authenticated access and tenant-scoped application data. We want this page to be specific, useful, and honest about current maturity.
Core security areas buyers and procurement teams usually ask about
These statements are limited to what the product and infrastructure are actually designed to support today.
Authentication and access control
User access is authenticated through Firebase-based sign-in flows, and application data is scoped to the current organization in the API.
Data storage and infrastructure
Application services run on Google Cloud, with primary application data stored in PostgreSQL and uploaded evidence stored in Google Cloud Storage.
Encryption and transport
Traffic is served over HTTPS and the platform is designed to keep data encrypted in transit. Cloud-managed services provide encryption at rest for underlying storage.
Retention and deletion handling
Workspaces, evidence, and user data are product-managed data. Deletion and retention behavior should be handled through product controls rather than ad hoc file handling.
How we think about evidence and customer data
Uploaded evidence is intended to support your internal workspace and customer-response process, not to create a public rating or profile.
Customer-request exports are generated from the answers your team has reviewed, curated, or accepted inside the app.
Procurement or security-review questions can be sent directly to hello@vertapass.com.
Current assurance posture
We want to be explicit here: Vertapass is not currently presenting itself as SOC 2 or ISO 27001 certified on this page. If your procurement process requires a security review, send the request and we will handle it directly.
Need a security or procurement response?
Email hello@vertapass.com with the buyer name, timeline, and the questionnaire or security pack you need completed. We will route it appropriately.