Security | Vera AI by VendorBenchmark
Meet Vera AI VendorBenchmark is now Vera AI, the platform named after your analyst. Same buyer-side numbers, same team. See what changed →
V Vera AI
Benchmarking Use cases Features Security Integrations Pricing About FAQ Blog Log in Request access
Security and trust

Your contracts are the most sensitive data you have. We built for that first.

Tenant isolation is enforced in the database, not just the app. Every view and download is logged. Files never get a public URL. Security was the first requirement of the platform, not a feature bolted on later.

Send this to your security team → See the Trust Center
Row-level
tenant isolation enforced in Postgres, tested cross-org
TOTP MFA
with backup codes, required for admins, org-wide policy
SSO + SCIM
SAML 2.0 and OIDC per org, automated provisioning
AES-256
encrypted at rest, TLS in transit, sealed secrets
app.vendorbenchmark.com/security-center
The Vera AI Security Center: MFA coverage, SSO enforcement, retention policy, API keys, and the audit stream
01 · TENANT ISOLATION

One organization can never see another's data.

Every customer table carries an organization id, and Postgres row-level security policies decide what each request can read or write. Isolation lives in the database, so it holds even if application code has a bug. Platform admin access is a separate, controlled path that customers can never grant themselves, and we test cross-organization isolation directly.

02 · IDENTITY AND ACCESS

SSO, SCIM, MFA, and roles.

SAML 2.0 and OIDC single sign-on per organization, with an optional require-SSO setting. SCIM 2.0 provisions and deprovisions users through your identity provider, so offboarding is one action. TOTP multi-factor with backup codes is available to everyone and required for platform admins. Roles are managed per organization with a full member directory.

03 · AUDIT LOGGING

Every view and download is on the record.

Sensitive actions, including who opened or downloaded a contract file, are appended to an audit log with the actor, action, entity, organization, IP address, and user agent. Owners see their own trail in the app, and you can stream events to your SIEM. Known sign-in devices are tracked so unusual access stands out.

04 · FILE HANDLING

Contracts live in private storage.

Uploaded files go into private buckets with no public URLs, ever. Downloads use short-lived signed URLs that expire in about a minute. Uploads are validated on type, size, and file signature, not just the extension. Share links are stored only as hashes, never as reusable tokens.

05 · ENCRYPTION

Encrypted in transit and at rest.

TLS protects data in transit, and storage and database are encrypted at rest. Credentials for your connected tools are sealed with AES-256-GCM using a fresh initialization vector per value, shown masked, and checked for tampering. No secret is ever stored in our code.

06 · APPLICATION HARDENING

Defense in depth around the app.

• A strict Content Security Policy with a fresh nonce on every request • HSTS with a two-year max-age and preload • Frame-deny, no-sniff, and a locked-down Permissions-Policy • Rate limiting on sign-in, upload, and abuse-prone routes • The production build refuses to ship if rate-limiting is misconfigured • Input validation on every server route
07 · DATA LIFECYCLE

Your data, on your terms.

Set a retention policy, export everything, or hard delete. A deletion removes both the database rows and the stored files, so nothing lingers. You never have to file a ticket with us to honor a deletion request from your side.

THE TRUST CENTER

The documents your security team asks for, one link away.

The security review package collects everything public in reading order: the security overview with its claim ladder, the 60-question security team FAQ, the data processing agreement, the subprocessor list, and our resilience evidence with dates. The policy set and a pre-completed security questionnaire sit behind a click-through NDA in scoped, expiring, revocable links, and every view lands on the audit trail. We state what is not built yet as plainly as what is, so a framework is only ever claimed with the evidence to show for it.

Open the review package →

Bring your most sensitive contracts.

Enterprise controls are on from day one. See the full platform.

Request access →
V Vera AI
A VendorBenchmark product, built by Redress Compliance · © 2026