Google Cloud Platform — US regions. Tenant data is logically isolated per workspace.
Trust center
Valty, on Valty — our own posture, in the same evidence model we sell.
We apply the same claim discipline to ourselves that the product enforces for customers. Certifications not yet achieved are labeled as roadmap. Metrics are stage-appropriate. No fabricated proof.
Contact security teamAll web and API traffic encrypted in transit. AES-256 at rest via GCP-managed keys.
Not yet achieved. Audit-readiness program is in scope for the platform-closure plan.
Public and tenant data are strictly separated
The marketing site (valty.ai) does not share infrastructure or data storage with the product application (app.valty.ai). Customer evidence, findings, and proof artifacts do not flow to or from the public surface.
Tenant isolation enforced at the database layer
Row-level security (RLS) policies on every production table enforce workspace scope. Cross-tenant reads require explicit SECURITY DEFINER functions with reviewed scope. No tenant can read another tenant's evidence.
Credentials stored in GCP Secret Manager, not environment variables
Production credentials — API keys, database owner URLs, OAuth client secrets — are stored in GCP Secret Manager and referenced at runtime. They are not committed to source control and not embedded in deployment configs.
Authentication via NextAuth with short-lived JWTs
Session tokens are short-lived JWTs signed server-side. MFA is available for workspace administrators. OAuth (Google SSO) is the recommended production path.
Valty evidence grammar applied to Valty
The same EvidenceTrustCard and FrameworkModeCard the product sells — displaying Valty's own posture.
The trust tier and framework coverage below reflect the product evidence model applied to Valty's own internal posture at design-partner stage. Design partner on any metric means the value is illustrative of methodology range, not an audited customer result.
EvidenceTrustCard + EvidenceShield
Evidence trust
T1Hardware-attestedPassFresh 18h
T2Software-attestedPassFresh 2d
T3API-verifiedReviewFresh 4d
Hash-chain verified across the export window.
FrameworkModeStack
Evidence-mode coverage
- Automated
- 62
- Assisted
- 24
- Manual
- 14
Certification status
What is achieved, what is roadmap, and what is inherited from our infrastructure providers.
Certifications that are not yet achieved are labeled Roadmap preview. We do not claim SOC 2 or FedRAMP as achieved until the audit report exists.
SOC 2 Type II
- Status
- Roadmap
- Note
- Audit-readiness program in progress. Not yet achieved. Target: platform-closure Stage 3.
FedRAMP
- Status
- Roadmap
- Note
- Future roadmap — aligned with federal/supply-chain customer motion. No authorization in progress at this stage.
ISO 27001
- Status
- Roadmap
- Note
- Under evaluation as a complement to SOC 2. No active certification engagement.
Penetration test (3rd party)
- Status
- Roadmap
- Note
- Independent pen test is in roadmap for design-partner close. Internal review completed; external assessment not yet commissioned.
Encryption at rest (AES-256)
- Status
- Via provider
- Note
- Enforced via GCP-managed keys on Neon PostgreSQL and Cloud Storage. Inherited from GCP SOC 2 / ISO 27001.
GDPR / CCPA baseline
- Status
- Baseline in place
- Note
- Privacy policy and data-handling baseline in place. Formal DPA available on request. Legal-counsel review cycle.
Proof matrix
Certification and compliance posture — source, confidence, freshness
Every certification claim carries publication state, source, and freshness so buyers can assess what is audited versus what is a design intent.
ClaimSourceConfidenceFreshness
SOC 2 Type IIInternal audit-readiness programNot yet achieved — in roadmapStatus reviewed quarterly
FedRAMPPlatform-closure plan — Stage 3 targetNot yet achieved — future roadmapStatus reviewed with federal engagement milestones
ISO 27001Under evaluationNot yet scoped — roadmap considerationStatus TBD
Penetration testNot yet completed by independent third partyInternal review only at this stageThird-party pen test is in roadmap for design-partner close
GDPR / CCPA readinessPrivacy policy and data-processing baselineBaseline in place; formal DPA available on requestReviewed on legal-counsel cycle
Encryption at restGCP-managed AES-256 (Neon / Cloud SQL)Platform-enforced — GCP provider attestationInherited from GCP SOC 2 / ISO 27001 certifications
Dogfood — EBITDA bridge applied to Valty
Our own cyber-risk exposure modeled in the same workflow we sell. Design partner
The bridge below uses the same FAIR-style evidence-to-dollar model that Valty generates for customers. Inputs use illustrative design-partner ranges — not audited Valty financials. The method, confidence band, and assumptions are visible next to the estimate, exactly as they would appear in a customer proof pack.
What this demonstrates
Evidence discipline holds even when the subject is us.
- Same FAIR-style loss-exposure model used for customer engagements
- Confidence band and P10/Base/P90 range visible inline
- Assumptions inspectable before the number is shared
- Financial output is decision-support, not a warranty or insurance basis
- Blocked claims (unresolved evidence gaps) labeled before any board delivery
Inputs are illustrative ranges at design-partner stage. They are not audited Valty financials. The bridge is published here to demonstrate methodology honesty, not as a formal disclosure.
Architectural proof
What is reviewable at design-partner stage without an NDA.
Multi-tenant isolation
- Source
- RLS-enforced PostgreSQL (Neon) — row-level security on every tenant-scoped table
- Confidence
- Architecture-enforced; reviewed in Phase 0 RBAC audit (2026-06)
- Freshness
- Reviewed on schema change; SECURITY DEFINER functions audited per PR
Credential storage
- Source
- GCP Secret Manager — no credentials in source control or deployment configs
- Confidence
- Operational fact; GCP access log available to design-partner reviewers under NDA
- Freshness
- Secret rotation reviewed quarterly or on personnel change
Data residency
- Source
- US GCP regions (us-central1, us-east1) + Neon US cluster
- Confidence
- Infrastructure fact — configurable per enterprise engagement
- Freshness
- Reviewed when tenant data-residency requirements are scoped
Authentication
- Source
- NextAuth JWTs + Google OAuth SSO — session scope enforced server-side
- Confidence
- Production-verified; admin bypass requires explicit per-PR consent
- Freshness
- Auth posture reviewed on library update cycle and on security inquiry
Encryption in transit
- Source
- TLS 1.3 enforced by Vercel edge + GCP load balancer; no HTTP in production
- Confidence
- Infrastructure-enforced — inherited from Vercel and GCP TLS attestation
- Freshness
- Reviewed on edge config change
Audit logging
- Source
- Application-layer event log + GCP Cloud Audit Logs for infrastructure actions
- Confidence
- Operational; completeness reviewed before SOC 2 audit scope is finalized
- Freshness
- Log retention follows GCP default (400-day) + application-level archival
Subprocessors
Third-party services that process Valty customer or lead data.
This list is current as of the trust-center publication date. Changes are made when a subprocessor is added, removed, or changes scope. Enterprise customers may request advance notice of material subprocessor changes via security@valty.ai.
SubprocessorPurposeRegionCertification
Google Cloud PlatformPrimary infrastructure — compute, storage, networking, secret managementUS (us-central1, us-east1)SOC 2, ISO 27001
Neon (PostgreSQL)Primary database — tenant workspace data, evidence, controls, proof packsUSSOC 2 Type II
VercelMarketing site and product application hosting / CDNUS + global edgeSOC 2 Type II
StripePayment processing — billing and subscription managementGlobalPCI DSS Level 1, SOC 2
AttioCRM — lead pipeline, design-partner contacts, inbound request routingUSSOC 2
Google OAuth (Workspace)SSO authentication for product workspace loginGlobalISO 27001, SOC 2
Apollo.ioOutbound sales intelligence and website-visitor enrichment (marketing only)USSOC 2
ResendTransactional email delivery for workspace notificationsUSSOC 2
Last reviewed: 2026-06-20. Certification statuses are based on publicly available attestations from each subprocessor. Valty does not independently audit subprocessor certifications.
Security incident log
Publicly disclosed security events.
Valty will update this log when a security incident meets the disclosure threshold: confirmed unauthorized access to customer data, material service compromise, or regulatory notification requirement. No events to disclose at this stage.
DateSeveritySummaryStatus
—None recordedNo security incidents to disclose at this stage. This log will be updated on confirmed events.No action required
Security contact
Report a vulnerability or request security documentation.
Security researchers, buyers, and design partners can reach the Valty security team at security@valty.ai. We respond to all inbound disclosures within two business days and target remediation timelines based on severity. NDA and DPA requests route through the same address.
Vulnerability disclosure
Coordinate all vulnerability reports through security@valty.ai. Include reproduction steps, scope, and severity assessment. We do not operate a public bug-bounty program at this stage; all disclosures are handled directly.
PGP key
A PGP public key is available on request for encrypted disclosure. Contact security@valty.ai to receive the key fingerprint before sending sensitive material. Key rotation follows annual cadence or on personnel change.
Data processing agreement
Customers requiring a formal DPA (GDPR / CCPA / enterprise procurement) should request the baseline via security@valty.ai. The DPA is reviewed by legal counsel and provided under NDA for enterprise and design-partner engagements.
Response SLA
Initial acknowledgement: two business days. Severity classification shared with reporter: five business days. Remediation timeline: dependent on severity — critical within 30 days, high within 90 days. Response timelines are operational targets, not contractual guarantees, at design-partner stage.
Security review
Request documentation for procurement, diligence, or design-partner evaluation.
Security questionnaires, DPA, architecture diagrams, and design-partner NDA route through security@valty.ai. The proof page shows what a Valty proof artifact contains before you commit to an engagement.