Saltar a contenido

Data handling, privacy & compliance

What data Vex Raptor processes, where it lives, and how it maps to the frameworks your auditors care about.

Data residency & ownership

Because Vex Raptor is self-hosted, you are the data controller and the data stays in the region and infrastructure you deploy to. Vex has no operational access to your scan data. This is what makes Vex Raptor usable in air-gapped and data-sovereign environments.

What is processed

Category Examples Purpose Default retention
Target metadata URLs, hostnames, IPs in scope Run the authorized scan Life of the scan record
Findings & evidence Requests, responses, PoC payloads Prove and reproduce a finding Configurable per org
Reports HTML / PDF / JSON exports Deliverables & compliance Configurable
Identity User email, role, org Authentication & RBAC Life of the account
Scan credentials Tokens/passwords for authenticated scans Authenticated testing Deleted with the scan; redacted in logs

Minimize sensitive data

Use dedicated, low-privilege test credentials for authenticated scans. Vex Raptor encrypts them at rest and redacts them from logs, but least privilege is still best practice.

Encryption

  • In transit — TLS everywhere; terminate at your proxy. For the origin hop, use TLS end-to-end (Cloudflare Full (strict), not Flexible).
  • At rest — inherit your PostgreSQL and volume/disk encryption; scan credentials are additionally encrypted at the application layer (AES-GCM).

Sub-processors

In the default self-hosted configuration Vex Raptor uses no sub-processors for your scan data. Optional, opt-in integrations that send data outside your perimeter — and only when you enable and configure them — include:

Integration Data sent When
License validation License key, instance ID Always (startup)
AI depth (Gemini / Vertex / Bedrock / Mistral / Ollama) Prompt context you scan Only at AI depth; use Ollama/self-hosted to keep it local
Threat-intel enrichment (VirusTotal / Shodan / HIBP) Indicators you submit Only when configured

Note

Keep this table current — procurement will ask for a definitive sub-processor list. ollama / self-hosted LLM keeps AI depth fully local.

Compliance

Framework Status
SOC 2 Type II In progress — target <quarter/year>, auditor <name>
ISO 27001 <status>
GDPR Self-hosted; you remain controller. DPA available on request.

Fill in before publishing

Replace the placeholders with real dates/auditors. An undated "in progress" reads as vaporware to enterprise buyers — state a target quarter or remove the row until it is concrete.

How Vex Raptor supports your compliance

Every scan can export control mappings so findings land against the frameworks your auditor uses — SOC 2, PCI-DSS, ISO 27001, GDPR — as an audit-ready PDF rather than a raw CVE list. See Read a report.