Venda.

Information Security Policy

Effective date: April 2026  ·  Version 1.0

1. Our Commitment

Venda maintains a formal information security program designed to protect the confidentiality, integrity, and availability of customer data and all data processed through our platform, including data obtained via third-party marketplace API integrations.

This policy applies to all Venda systems, personnel, and contractors that access, process, store, or transmit data on behalf of the organization or its customers. It is reviewed annually and updated following any significant change in business operations or security posture.

2. Infrastructure and Hosting

Venda is built entirely on SOC 2-certified cloud infrastructure. We do not operate physical servers.

  • Vercel — Application hosting, edge network, and DDoS protection
  • Supabase — PostgreSQL database and file storage (AWS-backed, us-east-1)
  • Clerk — Authentication and identity management

Each provider maintains independent security certifications, penetration testing programs, and compliance controls, which Venda inherits as a customer. All customer and API partner data is stored and processed in the United States.

3. Data Encryption

3.1 Data in Transit

  • All data transmitted between clients and Venda systems uses TLS 1.2 or higher
  • HTTP connections are automatically redirected to HTTPS
  • API communications with marketplace partners use TLS-encrypted connections at all times

3.2 Data at Rest

  • All database data encrypted at rest using AES-256 (Supabase / AWS)
  • File storage (listing images, attachments) encrypted at rest in Supabase Storage
  • Backups encrypted using the same standard

3.3 Secrets and Credentials

  • API keys, OAuth secrets, and database credentials stored as environment variables in Vercel's encrypted secrets management
  • Secrets are never committed to source code repositories
  • Secret rotation is performed upon personnel departure or suspected exposure

4. Access Controls

4.1 Principle of Least Privilege

Access to all systems and data is granted on the basis of minimum necessary access required to perform a job function. No individual or system component receives more access than is required.

4.2 Authentication

  • Multi-factor authentication (MFA) required for all systems containing customer or API partner data
  • MFA enforced on: GitHub, Supabase, Vercel, Clerk dashboard, and all cloud provider consoles
  • Passwords must be unique per service — password manager required for all personnel
  • Shared credentials are prohibited

4.3 Database and Application Layer

  • All API endpoints require valid authentication via Clerk-issued JWT tokens
  • Row-Level Security (RLS) enforced in Supabase — users can only access their own data
  • Database is not publicly accessible — only reachable via the application layer
  • Database credentials stored as environment variables, never in source code

4.4 Access Reviews

  • Access rights reviewed when an individual's role changes
  • Access revoked within 24 hours of personnel departure
  • Quarterly review of all active accounts with production access

5. Third-Party API Data Handling

Venda integrates with third-party marketplace APIs (including TikTok Shop, Shopify, Amazon, Walmart, Whatnot, and others) to provide listing management and cross-platform publishing services. Data received through these integrations is handled as follows:

  • API data is classified as Confidential and subject to the same security controls as all customer data
  • Stored only in encrypted Supabase database — never in plaintext
  • Accessible only to the authenticated seller to whom it belongs, enforced via Row-Level Security
  • Never sold or shared with unauthorized third parties
  • Used solely for the purpose for which it was obtained (marketplace listing management)
  • Deleted within 30 days upon termination of the API relationship or upon user request
  • All API credentials scoped to minimum required permissions and stored in encrypted environment variables
  • Venda complies with all data handling requirements stipulated in each provider's developer agreement

6. Vulnerability Management

6.1 Dependency Scanning

  • GitHub Dependabot enabled on all repositories for automated vulnerability alerts
  • Security advisories reviewed weekly
  • Critical vulnerabilities remediated within 24 hours; high severity within 7 days

6.2 Code Review

  • All code changes require review before merging to the main branch
  • Security implications considered during every code review
  • No direct commits to the production branch without review

6.3 Infrastructure

  • Infrastructure patching managed by SOC 2-certified cloud providers
  • Vercel edge network provides DDoS protection and anomalous traffic detection
  • Application-level rate limiting detects and blocks abuse patterns

7. Incident Response

Venda maintains a formal incident response process for identifying, containing, and recovering from security incidents. In the event of a confirmed breach involving personal data or API partner data:

  • Affected users notified within 72 hours via their registered email address
  • API partner notification within 72 hours of confirmed breach, or sooner if contractually required
  • Regulatory authorities notified within legally mandated timeframes where applicable

To report a suspected security vulnerability or incident, contact us at support@venda-list.com.

8. Endpoint and Personnel Security

  • Full-disk encryption required on all personnel devices (FileVault / BitLocker)
  • Automatic screen lock after 5 minutes of inactivity
  • Security patches applied to endpoints within 30 days; critical patches within 7 days
  • Anti-malware protection active on all work machines
  • Security awareness orientation required for all personnel upon joining

9. Contact

Questions about this security policy or Venda's security program:

  • Security contact: support@venda-list.com
  • Joe Maio, Founder & CEO — Data Protection and Security Responsibility
  • Website: venda-list.com

Last updated: April 2026. Approved by Joe Maio, Founder & CEO.