Security you can audit.
We handle sensitive federal contracting data. Security isn't an afterthought — it's built into every layer of the platform.
Where we stand on the frameworks that matter.
SOC 2 Type II
A SOC 2 Type II audit covering Security, Availability, and Confidentiality is in preparation — controls are mapped to the Trust Services Criteria, but an independent CPA firm has not yet been engaged. Report available to Enterprise customers under NDA on completion.
NIST 800-171
Controls mapped to NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), including automatic redaction of sensitive identifiers before any third-party AI call (3.1.3), per-tenant access enforcement, and continuous-monitoring alerting. Formal assessment not yet undertaken.
FedRAMP 20x
We are pursuing FedRAMP 20x (Low first). VETR runs in AWS GovCloud (us-gov-west-1) with all 46 Key Security Indicators mapped, an OSCAL System Security Plan, and continuous monitoring live (AWS Config + Security Hub + GuardDuty) — and we are preparing to engage an accredited 3PAO for the independent assessment. VETR is not yet FedRAMP-authorized.
CMMC Level 2
Security controls aligned with CMMC Level 2 practices for organizations handling CUI in the defense industrial base.
Section 508
WCAG 2.1 Level AA: automated checks (axe-core runtime + ESLint jsx-a11y) report 0 violations across public and authenticated pages. A VPAT/ACR is maintained and available on request.
Section 889
We maintain a review process for covered-telecommunications restrictions and supply-chain representations relevant to the platform environment. Detailed certifications available on request.
Six layers, one defense in depth.
The specifics, organized by category — every control reviewable, exportable, audit-ready.
01
Data Protection
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption for all data in transit
- Encrypted backups with geographic redundancy
- Strict per-organization data isolation — every query is tenant-scoped
02
CUI Safeguards
- Automatic CUI/PII redaction (SSN, EIN, financial, classification markings) before any text reaches a third-party AI model
- Raw model output and extracted document text are kept out of application logs
- AI-assisted CUI scanner with human-in-the-loop review for proposals
- Practices mapped to NIST SP 800-171 controls for protecting CUI
03
Access Control
- Mandatory multi-factor authentication (MFA) enrollment
- Role-based access control — read-only roles cannot mutate data
- 12-character, breach-checked passwords with brute-force lockout
- Single Sign-On (SSO) via SAML 2.0 — Enterprise
04
Application Security
- SSRF protection — outbound/webhook requests are blocked from reaching internal or metadata endpoints
- Signature-verified inbound webhooks (payments, e-signature)
- Output sanitization against stored-XSS (HTML) and spreadsheet formula injection (CSV exports)
- Content-type-verified uploads with optional malware scanning
05
Infrastructure
- AWS-hosted with 99.9% uptime SLA
- Automated security patching
- DDoS protection via AWS Shield
- Web Application Firewall (WAF)
06
Monitoring & Response
- 24/7 infrastructure monitoring
- Real-time intrusion detection
- Automated anomaly alerting
- Documented incident-response plan (target initial response < 4 hr)
07
Development
- Security code review for all changes
- Dependency vulnerability scanning
- Third-party penetration testing (planned with 3PAO assessment)
- OWASP Top 10 compliance checks
08
Audit & Privacy
- Comprehensive audit logging
- Append-only audit logs (WORM/object-lock archival in progress)
- Data retention and deletion controls
- Privacy-by-design architecture
Where we are on the FedRAMP path — milestone by milestone.
We publish our security roadmap because veteran-owned contractors deserve transparency, not vague compliance theater. Update cadence: quarterly.
Phase 1 — Foundation (Complete)
Complete- AES-256 at rest, TLS 1.3 in transit
- AWS multi-AZ deployment
- Append-only audit logging + 7-year retention (WORM archival in progress)
- CUI redaction service shipped
Phase 2 — NIST 800-171 self-attestation documented (gaps tracked in POA&M)
Complete- 110-control NIST SP 800-171 r2 mapping documented
- POA&M (Plan of Action and Milestones) maintained
- CMMC L2 alignment review complete
Phase 3 — SOC 2 Type II audit (in preparation, not yet certified)
In progress- Preparing to engage an independent CPA firm; observation window not yet started
- Type II report to follow the observation window
- Available to Enterprise customers under NDA on completion
Phase 4 — FedRAMP 20x assessment (in preparation, not yet authorized)
In progress- Preparing to engage an accredited 3PAO for the independent assessment + penetration test
- OSCAL System Security Plan + Body-of-Evidence package prepared
- All 46 Key Security Indicators (KSIs) mapped; continuous monitoring live
Phase 5 — FedRAMP 20x authorization (planned, not yet authorized)
Planned- Independent 3PAO assessment → KSI validation → FedRAMP Marketplace listing
- Starting at 20x Low; Moderate to follow
- Built for veteran-owned / set-aside contractors handling CUI
Found a vulnerability? Tell us.
We acknowledge valid reports within 48 hours and work with researchers in good faith. No lawyers, no surprises.
Report to security@vetrproposal.com
Need our security package?
Enterprise customers receive SOC 2 reports, pen-test summaries, and architecture reviews under NDA.