Trust & Security

Security & Trust

How we protect your data: the practices behind the platform, and how to reach us if you find a vulnerability.

Last updated · July 2026

ValiqAI is a security and quality testing platform, so protecting your data is core to what we do. This page summarizes the practices we use to keep the platform and your data secure, and explains how to report a vulnerability if you find one.

Our security practices

Encryption in transit & at rest

All traffic is served over TLS (HTTPS). Data stored in our database and object storage is encrypted at rest by our infrastructure providers.

Authentication & access

Passwords are hashed with bcrypt. We support enterprise Single Sign-On (SAML/OIDC), and sensitive secrets such as SSO credentials are encrypted before they are stored.

Data isolation

Data is scoped to your organization. Scans, results, and settings are only accessible to members of the organization that owns them.

Scan safety controls

Adversarial testing requires explicit authorization, and probes run under strict rate limits and hard caps designed to protect the systems being tested.

Infrastructure & subprocessors

ValiqAI runs on managed cloud infrastructure. We rely on a small set of vetted third-party providers to operate the Service, each bound by data processing terms. You can review the full list on our Subprocessors page.

For details on what data we collect and how it is handled, see our Privacy Policy, and for data-processing commitments, our Data Processing Agreement.

Compliance

SOC 2: We are actively working toward SOC 2 Type II. We support GDPR and CCPA/CPRA rights as described in our Privacy Policy. If you have specific compliance requirements or need documentation for a vendor security review, contact us and we will help.

Data retention & deletion

We keep your data for as long as your account is active and as needed to provide the Service. Scan artifacts (screenshots, session replays, logs, and reports) are retained so you can review past runs, and may be pruned over time or according to your plan.

You can delete individual scans at any time, and you can request deletion of your account and associated data by contacting us. On deletion, we remove data from our active systems and it ages out of encrypted backups on our normal backup cycle. For the full picture of what we collect and how long we keep it, see our Privacy Policy.

Backups & availability

Our database is hosted on managed infrastructure with automated backups, so we can recover from data loss or infrastructure failure. Backups are encrypted at rest. We design the platform to fail safely. For example, scans run under hard caps and time limits so a single run cannot exhaust resources or run indefinitely.

Secure development

  • Dependency hygiene: We monitor dependencies for known vulnerabilities and update them as issues are disclosed.
  • Secrets management: Credentials and API keys are stored as environment secrets, never committed to source control, and sensitive values are encrypted before storage.
  • Input handling: The application validates input and uses parameterized database queries to guard against injection.

Internal access

Access to production systems and customer data is limited to what is necessary to operate and support the Service, and is protected by strong authentication. We access your data only to provide, maintain, and secure the Service, to comply with the law, or with your permission (for example, when helping with a support request).

Monitoring & incident response

We use error tracking and monitoring to detect problems in production. If we become aware of a security incident that affects your personal data, we will investigate, take steps to contain and remediate it, and notify affected customers and any relevant authorities as required by applicable law and our Data Processing Agreement.

Your part in security

Security is shared. Keep your account credentials confidential, use a strong and unique password, and only run adversarial scans against systems you own or are explicitly authorized to test. If you believe your account has been compromised, contact us immediately so we can help secure it.

Reporting a vulnerability

We welcome reports from security researchers and the community. If you believe you have found a security vulnerability in ValiqAI, please report it responsibly so we can fix it before it is disclosed publicly.

How to report

Email abhi@valiqai.com with a description of the issue, the steps to reproduce it, and any relevant details (affected URL, request/response, screenshots). Please give us a reasonable amount of time to investigate and remediate before any public disclosure.

Please do

  • Report issues promptly and in good faith
  • Give us enough detail to reproduce the issue
  • Use only test accounts and your own data
  • Give us reasonable time to remediate before disclosure

Please don't

  • Access, modify, or delete data that isn't yours
  • Run denial-of-service or high-volume automated attacks
  • Publicly disclose before we've had a chance to fix it
  • Use social engineering, phishing, or physical attacks

We will not pursue legal action against researchers who act in good faith and follow this policy. We do not currently run a paid bug bounty program, but we are grateful for responsible reports and will acknowledge your contribution where appropriate.

Contact

For security reports or any other questions, contact us at abhi@valiqai.com.

Ready to secure your app?