Security at Vewport.

Hosting & data residency

EU-hosted by default — postgres + object storage live in the EU region of our cloud provider. Self-hosted customers run the entire stack on their own infrastructure; we have zero visibility into a self-host deployment.

Encryption

• In transit: TLS 1.2+ on every public surface (vewport.com, app.vewport.com, api.vewport.com). Self-host: bundled nginx + Let’s Encrypt out of the box.
• At rest: postgres + S3-compatible storage encrypted with provider-managed keys. Bring-your-own-KMS on Custom plans.
• Passwords: bcrypt with cost factor 12, no plaintext storage anywhere in the pipeline (logs, error reports, backups).

Access control

Four built-in roles: Owner / Admin / Editor / Viewer. OAuth sign-in (Google, Microsoft, GitHub, Odoo) on every plan; SAML 2.0 SSO is included on every tier — Free, Starter, Professional, and Custom — with no per-seat surcharge. Read-access API keys are scoped per integration so an Odoo connection can’t escalate to admin actions.

Operational practices

• Self-host backups: on-demand backup profile dumps Postgres to S3 (or any S3-compatible bucket). Configure with the host cron snippet in distributions/odoo-selfhost/README.md.
• Sentry error reporting with PII scrubbing on every event (when SENTRY_DSN is configured).
• npm audit on every install. SOC 2-grade dependency scanning (Snyk / Dependabot) is on the roadmap alongside the SOC 2 work below.

Audits & compliance

SOC 2 Type II is on the roadmap; not yet certified. GDPR- aligned (EU team, EU hosting, DPA available on request). We will publish the audit report on this page when complete.

Reporting a vulnerability

Email [email protected] with reproduction steps. We acknowledge within 48 hours and triage within 5 business days. Please don’t open a public issue or post on social media before we’ve had a chance to patch — coordinated disclosure protects every customer.

Out of scope

• Self-XSS that requires the user to paste code into devtools.
• Missing security headers without a corresponding exploit.
• Reports against staging or sandbox environments.
• Brute-force / DoS — we rate-limit at the edge.

We don’t currently run a paid bug bounty. We do recognize good reporters in the changelog with their permission, and serious findings get a written thank-you from the team.