Skip to main content
VETRan Acu-Elligent productValue Empowerment Through Readiness
Trust CenterSecurity & compliance · verifiable, not vague

Security and compliance you can verify.

VETR is built for government contracting, where trust is the product. Here's exactly where our security and compliance posture stands today — stated honestly, including what's still in progress.

Frameworks

Certifications & frameworks — current status.

We never claim a certification we don't hold. Where an audit is underway, we say so.

SOC 2 Type IIIn progress

Audit in progress with an independent firm over an observation window. Report shared under NDA on completion.

NIST SP 800-171Self-attested

Self-attested against the 110 controls; control-by-control mapping + POA&M maintained internally and available to reviewers.

FedRAMP ModerateIn progress

Authorization path under evaluation (Agency sponsorship); infrastructure runs on AWS with a GovCloud migration path.

CMMC Level 2Aligned

Practices aligned to CMMC L2 (which builds on NIST 800-171); formal assessment not yet undertaken.

Section 508 / WCAG 2.1 AAIn progress

Accessibility conformance work in progress across the application.

Controls

How we protect your data.

Encryption

  • TLS in transit (HTTPS-only, HSTS)
  • Sensitive PII encrypted at rest (AES via app-layer)
  • Secrets in AWS SSM Parameter Store

Access control

  • TOTP two-factor authentication
  • Role-based access (org owner / manager / contributor)
  • Enforced enrolment for privileged accounts

Tenant isolation

  • Automatic per-organization data scoping
  • Cross-tenant access blocked at the query layer
  • Verified by a cross-tenant isolation test suite

Auditability

  • Append-only audit log of privileged actions
  • Impersonation re-validated every request + logged
  • WORM / object-lock archival on the roadmap

Application security

  • Upload content-sniffing + AV hook
  • SSRF guard (blocks IMDS / DNS-rebinding)
  • Pervasive rate limiting + signed webhooks

Resilience

  • Automated RDS backups + point-in-time recovery
  • Deploy circuit-breaker with auto-rollback
  • Fail-closed migrations (no half-migrated boot)

Data handling & residency

  • Customer data is hosted on AWS in the US (us-east-1), with a GovCloud migration path for CUI workloads.
  • Each organization's data is isolated; one tenant can never query another's.
  • You can request export or deletion of your organization's data (GDPR/CCPA rights honored — see the Privacy Policy).
  • AI requests send only the context needed for that task; your data is never used to train shared models.

Subprocessors

  • Amazon Web Services (AWS)Cloud hosting, database, storage (us-east-1; GovCloud path)
  • StripeSubscription billing + payments (PCI-DSS Level 1)
  • OpenAIAI generation (RFP parsing, drafting, assistant) — only the context needed per request
  • Amazon SES / WorkMailTransactional + branded email
Security details →Privacy Policy →Compliance tooling →

Running a vendor security review?

Tell us what your security or contracting team needs — our NIST 800-171 mapping, the SOC 2 report when it lands, a completed security questionnaire (SIG/CAIQ), or a DPA — and we'll get it to you.