VisaVault

Security

Last updated: January 2025

Our security practices

  • Encryption in transit: All connections to VisaVault use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
  • Encryption at rest: All database data is encrypted at rest using AES-256. Uploaded documents are stored in encrypted AWS S3 buckets.
  • Authentication: User accounts are managed by Clerk with support for MFA (multi-factor authentication). Session tokens expire after 4 hours of inactivity.
  • Access control: Row Level Security (RLS) is enforced on all database tables. Users can only access their own case data. Admin access requires separate elevated credentials.
  • AI data handling: Case data sent to the Anthropic API is anonymised. Passport numbers and dates of birth are never included in AI prompts.
  • File access: Document download URLs are pre-signed and expire within 15 minutes. Files are never accessible via public URLs.
  • Infrastructure: VisaVault runs on AWS ECS Fargate in a private VPC (eu-west-2, London). Application containers are not directly internet-accessible.
  • Dependency management: Dependencies are monitored for known vulnerabilities and updated regularly. We do not use end-of-life software versions in production.

Regulatory compliance

  • Registered with the Information Commissioner's Office (ICO) — Registration: ZC111499
  • GDPR-compliant data handling — EU Post-Brexit equivalent (UK GDPR)
  • Analytics data processed on PostHog EU cloud instance (eu.i.posthog.com)
  • No personal data is transferred outside the UK / EU without appropriate safeguards

Responsible disclosure

If you believe you have found a security vulnerability in VisaVault, we ask that you disclose it responsibly so we can address it before any public disclosure.

Please email security@visavault.co.uk with the following information:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots (if available)

We will acknowledge your report within 2 business days and aim to resolve critical issues within 14 days. We do not currently offer a bug bounty programme, but we will credit researchers who report valid findings (with their consent).

Please do not access, modify, or delete any data that does not belong to you while researching a potential vulnerability.

Contact

For general security questions: security@visavault.co.uk