What Valty Processes
Valty processes normalized proof objects and evidence metadata, not your source-of-truth security systems. Your scanners, identity providers, cloud accounts, ticketing systems, and other tools of record remain with you. Valty ingests the minimum required to translate control state into financial risk: control identifiers, status and timestamps, normalized findings, framework mappings, and the model inputs and outputs used to produce FAIR-aligned Monte Carlo estimates (P10/base/P90) and EBITDA-per-dollar remediation rankings. Account and contact data needed to operate the service (names, work email, authentication identifiers, billing-adjacent records) is also processed. Valty does not require copies of raw logs, full configuration dumps, or live credentials to your production systems.
Tenant Isolation
Each customer organization is a logically isolated tenant. Proof objects, model runs, and outputs are scoped to a single tenant and segregated at the data layer so that one customer's data is never readable by another. Access is governed by per-tenant authorization, and internal access is limited to the smallest set of personnel needed to operate and support the service.
Encryption
Data is encrypted in transit using TLS 1.2 or higher across all connections to and within the service. Data at rest is encrypted using AES-256 at the storage and database layers operated by our infrastructure providers. Secrets and credentials used to operate the platform are stored in managed secret stores rather than in application code or configuration.
Data Residency
Valty operates on cloud infrastructure whose regions are documented below. As an early-stage company, our current default processing footprint is the United States via our hosting, database, and supporting providers. We do not currently offer contractually pinned regional residency or data-localization commitments beyond the regions our subprocessors operate; design partners with specific residency requirements should raise them directly so we can confirm what is feasible before contracting.
Retention and Deletion
Valty retains proof objects and account data for the duration of the customer relationship to support the service and preserve the auditability of historical estimates and proof packs. On verified request, or following termination, Valty deletes or returns customer data within a commercially reasonable period, subject to limited backup-cycle expiry and any retention required by law. Specific retention windows and deletion timelines are set out in the full DPA.
Subprocessors
Valty uses the following subprocessors, each in a defined role: Vercel provides application hosting and content delivery (CDN); Neon provides the managed PostgreSQL database where tenant-isolated proof objects and account data are stored; Upstash provides managed Redis used for rate limiting and queuing; Attio is the CRM used for inbound lead and prospect contact capture; and Resend is the transactional email provider used to deliver service and notification emails. This is the complete current subprocessor list. Source-of-truth security systems are not subprocessors and remain under your control.
Data Ownership
You retain all right, title, and interest in your data. Valty processes that data solely to provide and improve the contracted service on your instructions and does not sell it or use it to build cross-customer profiles for third parties. Financial outputs produced by Valty are decision-support estimates, not actuarial, legal, or investment advice, and ownership of your underlying inputs and resulting proof packs stays with you.
Requesting the Full DPA
The executable Data Processing Agreement, including the formal subprocessor schedule, security commitments, breach-notification terms, and deletion timelines, is available on request. Contact Valty through the address listed on valty.ai or your design-partner point of contact to receive the current DPA and to be notified of material changes to the subprocessor list.