Vullify Trust Center

Vullify operates on Kubernetes hosted in Google Cloud (GCP), with our frontend running in Cloudflare Workers.

Our security-scanning infrastructure is powered by Google Cloud Kubernetes and Google Cloud virtual machines.

We persist data within Vullify using three external services:

PostgreSQL – Our primary application data is stored in Postgres:

• PostgreSQL runs on Google Cloud SQL.
• The instance is configured in high-availability mode with a hot standby located in a separate EU availability zone.
• Data is encrypted at rest using GCP's native encryption and protected in transit with TLS 1.2.
• Hourly snapshot backups are taken, and write-ahead-log retention is enabled to support point-in-time recovery.

Google Cloud Storage – For larger objects, such as uploaded files or downloadable resources, we use GCS object storage:

• Buckets are configured with regional redundancy within the EU.
• Data is encrypted at rest using GCP's built-in mechanisms and encrypted in transit with TLS 1.2.
• Versioning is enabled on all buckets, allowing us to retain the latest versions of objects and roll back if necessary.
• Critical data stored in GCS is replicated daily to AWS S3 buckets in the same region.

Google BigQuery – Vullify's data warehouse operates on BigQuery:

• Data is encrypted at rest using GCP's built-in encryption mechanisms and encrypted in transit with TLS 1.2.

Users can authenticate to Vullify using several methods:

• Username and password with TOTP-based two-factor authentication
• Sign in with Google
• Sign in with Microsoft
• Sign in with Okta

Vullify performs annual penetration testing and weekly vulnerability scans. In addition to scheduled scanning, we use the Vullify platform to run real-time vulnerability scans against our internet-facing systems when:

• New vulnerabilities are disclosed and corresponding checks become available through our scanning engines (emerging threat scans)
• New cloud-based assets are exposed to the internet (cloud auto-scans)
• New services are made publicly accessible (new service scans)

These scans help us quickly respond to changes in our attack surface and the evolving threat landscape, reducing the window of opportunity for potential attackers.

Critical and high-severity vulnerabilities must be remediated within 7 and 30 days respectively, medium-severity issues within 60 days, and low-severity findings on a best-effort basis.

We also scan for code dependency vulnerabilities and perform SAST analysis using multiple tools as part of our automated development pipeline. Any failures result in a pipeline failure, preventing code with identified issues from being merged into the main branch.

Access to production systems is controlled using GCP IAM, with two-factor authentication enabled for all accounts.

We follow the principle of least privilege by separating accounts into distinct administrator and user roles. Administrative access is granted only when necessary and is reviewed on a quarterly basis.

All changes to the Vullify codebase undergo peer review by at least two developers, followed by automated testing and deployment to staging for final validation before reaching production. Code cannot be merged or deployed to production unless it has passed all required tests and received approval from a senior engineer.

Our applications are deployed continuously, with releases occurring at least twice per week.