Data handling, privacy & compliance¶
What data Vex Raptor processes, where it lives, and how it maps to the frameworks your auditors care about.
Data residency & ownership¶
Because Vex Raptor is self-hosted, you are the data controller and the data stays in the region and infrastructure you deploy to. Vex has no operational access to your scan data. This is what makes Vex Raptor usable in air-gapped and data-sovereign environments.
What is processed¶
| Category | Examples | Purpose | Default retention |
|---|---|---|---|
| Target metadata | URLs, hostnames, IPs in scope | Run the authorized scan | Life of the scan record |
| Findings & evidence | Requests, responses, PoC payloads | Prove and reproduce a finding | Configurable per org |
| Reports | HTML / PDF / JSON exports | Deliverables & compliance | Configurable |
| Identity | User email, role, org | Authentication & RBAC | Life of the account |
| Scan credentials | Tokens/passwords for authenticated scans | Authenticated testing | Deleted with the scan; redacted in logs |
Minimize sensitive data
Use dedicated, low-privilege test credentials for authenticated scans. Vex Raptor encrypts them at rest and redacts them from logs, but least privilege is still best practice.
Encryption¶
- In transit — TLS everywhere; terminate at your proxy. For the origin hop, use TLS end-to-end (Cloudflare Full (strict), not Flexible).
- At rest — inherit your PostgreSQL and volume/disk encryption; scan credentials are additionally encrypted at the application layer (AES-GCM).
Sub-processors¶
In the default self-hosted configuration Vex Raptor uses no sub-processors for your scan data. Optional, opt-in integrations that send data outside your perimeter — and only when you enable and configure them — include:
| Integration | Data sent | When |
|---|---|---|
| License validation | License key, instance ID | Always (startup) |
| AI depth (Gemini / Vertex / Bedrock / Mistral / Ollama) | Prompt context you scan | Only at AI depth; use Ollama/self-hosted to keep it local |
| Threat-intel enrichment (VirusTotal / Shodan / HIBP) | Indicators you submit | Only when configured |
Note
Keep this table current — procurement will ask for a definitive
sub-processor list. ollama / self-hosted LLM keeps AI depth fully local.
Compliance¶
| Framework | Status |
|---|---|
| SOC 2 Type II | In progress — target <quarter/year>, auditor <name> |
| ISO 27001 | <status> |
| GDPR | Self-hosted; you remain controller. DPA available on request. |
Fill in before publishing
Replace the placeholders with real dates/auditors. An undated "in progress" reads as vaporware to enterprise buyers — state a target quarter or remove the row until it is concrete.
How Vex Raptor supports your compliance¶
Every scan can export control mappings so findings land against the frameworks your auditor uses — SOC 2, PCI-DSS, ISO 27001, GDPR — as an audit-ready PDF rather than a raw CVE list. See Read a report.