Security review package | Vera AI by VendorBenchmark
Meet Vera AI VendorBenchmark is now Vera AI, the platform named after your analyst. Same buyer-side numbers, same team. See what changed →
V Vera AI
Benchmarking Use cases Features Security Integrations Pricing About FAQ Blog Log in Request access
Security review package

Everything your security team needs, one link.

This page is written for the reviewer, not the buyer. Every document below is public and needs no account, every claim is implemented in the platform today, and the gaps are listed as plainly as the controls. Forward this URL to your security team and the review can start without a single meeting.

Email this package to your security team → Request documents under NDA
START HERE · THE READING ORDER

Seven steps, roughly ninety minutes.

1. The security overview: the data promise, the enforced numbers, and the claim ladder including what is not built. 2. The security team FAQ: 60 questions across eleven sections, written for reviewers. 3. The data processing agreement, public, no NDA needed to read it. 4. The subprocessor list: who runs what, with each provider's role. 5. The terms of service. 6. The compliance page: framework status, the resilience and validation evidence table, and the NDA document room holding the policy set and a pre-completed security questionnaire. 7. The responsible disclosure policy and security.txt.

The package, piece by piece.

Security overview

The architecture stated as evidence: ~200 tables under row-level security with 24 isolation suites in CI, 60 second signed downloads, the AI data flow, the 72 hour incident commitment, and a claim ladder with an explicit Not yet column. Check the ladder first; it tells you whether to believe the rest.

app.vendorbenchmark.com/security →
Security team FAQ, 60 questions

Tenant isolation mechanics, identity, data lifecycle, the AI data flow, benchmark anonymity, audit and incident response, subprocessors, compliance, and an honest section on what we do not have yet. Check the answers against your questionnaire; most map one to one.

app.vendorbenchmark.com/security/faq →
DPA, subprocessors, terms

All public. Check the subprocessor list against the AI data-flow claims (Anthropic is the only model provider) and the DPA's deletion commitments against the deletion certificate feature.

/dpa  ·  /subprocessors  ·  /terms
Compliance status and evidence

Framework status stated honestly (SOC 2 Type I targeted Q4 2026, report under NDA when issued) plus the resilience table: backups, restore tests, and penetration testing, each with a date or an honest not yet.

app.vendorbenchmark.com/compliance →
NDA document room

The policy set and a pre-completed security questionnaire, delivered through scoped, expiring, revocable links behind a click-through NDA. Every open is written to an audit log.

Request access →
In-product verification

With a login: the Security Center (your org's MFA coverage, audit export, SIEM webhook), the audit trail itself, and the deletion certificates under Settings. These are the controls you verify rather than trust.

Security Center (login) →
VERIFY, DON’T TRUST

Three things your team can prove alone, in a trial tenant.

1. Run the isolation test
Create two organizations, upload a document to one, and confirm the other’s session cannot read it. The denial comes from the database’s row-level security, not an application error page.
2. Watch your own audit stream
Subscribe an audit webhook and signed, cursor-tracked batches of your org’s events arrive within 15 minutes. Compare them against what your team actually did, down to the AI runs.
3. Test deletion end to end
Delete a contract, confirm rows and files are gone, then download the timestamped deletion certificate the deletion wrote. Deletion is a data path, not a support ticket.
THE HONEST GAPS

What we do not have yet, so you can believe what we do.

• Third-party penetration test: first engagement being scheduled; the executive summary will land in the NDA room • SOC 2: Type I targeted Q4 2026; controls implemented and mapped to evidence today • ISO 27001: not started, SOC 2 comes first • Customer-managed keys (BYOK): not built • EU data residency: not built, data is hosted in the US today • Passkeys / WebAuthn: not built, TOTP is the second factor today

The full, dated version lives on the security page’s claim ladder and moves left only when the code or the evidence exists.

OUR SIDE OF THE REVIEW

We will complete your questionnaire, walk the architecture, and show the cross-tenant read failing live.

Security at Redress is owned by Fredrik Filipsson, founder. Vulnerability reports are acknowledged within 3 business days with safe harbor for good-faith research, and if an incident ever affects your data you hear it from us within 72 hours of confirmation, followed by a written post-mortem. We sign your NDA or bring ours.

Set up the review →
V Vera AI
A VendorBenchmark product, built by Redress Compliance · © 2026