Log inRequest Demo

Security

Last Updated: May 4, 2026

Verdan's marketing site is designed with a privacy- and security-minimizing architecture: it is a static site with no user accounts, no client-side analytics, and no advertising scripts.

If you believe you've found a security issue, please report it to us at security@verdanhq.com with the subject line  “Security Report”.

Security overview

Minimal data handling

  • The marketing site does not require accounts or logins.
  • We do not run analytics, ad pixels, session replay, or other tracking scripts.
  • Demo and contact forms submit to dedicated form endpoints with required-field validation, honeypot fields, and optional per-IP rate limiting.
  • Demo requests are delivered to authorized Verdan personnel through our email provider.

Procurement and review materials

  • A Data Processing Addendum (DPA) is available for qualified customers and procurement reviews. Request one at legal@verdanhq.com.
  • Security review materials can be shared during sales conversations, including hosting, access-control, subprocessors, and data-handling context relevant to your evaluation.
  • We do not display SOC 2, ISO, or similar certification badges unless a certification is complete and current.

Website delivery and protection

The site is hosted on AWS S3 and delivered through AWS CloudFront, with DNS managed outside AWS. This keeps the marketing site static, cacheable, and isolated from application runtime concerns.

Traffic to the site uses HTTPS. Static site objects are encrypted at rest by AWS S3 server-side encryption, and CloudFront applies security response headers including HSTS, CSP, frame protection, content-type protection, referrer policy, and permissions policy.

Product security topics

Enterprise buyers commonly ask about AES-256 encryption at rest, TLS 1.2+ and TLS 1.3 encryption in transit, SSO/SAML or OIDC, two-factor authentication (2FA/MFA), role-based access (RBAC), audit logs and audit trail exports, data retention, data residency, subprocessors, export, deletion, HIPAA posture, CCPA/CPRA, GDPR, Standard Contractual Clauses (SCC), annual penetration test cadence (pen test), uptime, SLA, and incident response. We cover those topics in the security review packet for qualified product evaluations so the answers match the deployment and contract under review.

  • Hosting and data residency: Verdan is US-focused. Product hosting region, data residency, backup, and retention commitments are confirmed in the customer security packet and contract materials.
  • Encryption: Marketing-site objects use AWS S3 server-side encryption at rest, and all public traffic is served over HTTPS with TLS 1.2+ support. Product security materials specify AES-256 encryption at rest and TLS 1.2+ encryption in transit where those controls apply to the deployment under review.
  • Authentication and SSO/SAML/OIDC: Administrative systems require MFA. Product authentication, SSO/SAML availability, OIDC identity-provider support, and MFA requirements are reviewed during sales and security evaluation.
  • Access control and audit logs: Role-based access, audit-log retention, exports, deletion workflows, and off-boarding controls are covered in product security review materials.
  • Subprocessors: Current marketing and operations subprocessors include AWS, Google Workspace/Vault, and email delivery or DNS/form-routing providers. A product subprocessor list is available with the DPA and security packet.
  • Compliance posture: Verdan does not claim SOC 2, ISO, HIPAA, or similar certification badges unless a certification is complete and current. SOC 2 (SOC2) readiness, third-party penetration test timing, pen test cadence, and related roadmap items are shared when active.
  • Availability: Production uptime, support commitments, and any 99.9% uptime SLA are documented in the customer agreement or order form when applicable.
  • Privacy laws: Verdan is currently focused on US customers. We support CCPA/CPRA-style access and deletion requests for marketing inquiries. GDPR-specific commitments are handled only when a customer deployment requires them.
  • Incident response: Procurement materials describe incident response ownership, notification paths, severity handling, and customer communication expectations for production deployments.

Access controls

Administrative access to infrastructure and email systems is limited to founders and management.

Multi-factor authentication (MFA) is required for key accounts and services.

Email security

Company email is hosted on Google Workspace.

We use Google Vault for retention and eDiscovery controls.

Access to inboxes is restricted to authorized personnel.

Reporting a vulnerability

We appreciate responsible disclosures.

When reporting, please include:

  • A clear description of the issue and potential impact
  • Steps to reproduce
  • Affected URL(s) or page(s)
  • Screenshots or logs (if helpful)

We aim to acknowledge valid reports within a reasonable timeframe.

Good-faith testing guidelines

Please do not:

  • Access or modify data that is not yours
  • Use social engineering (phishing, impersonation) against our team
  • Run denial-of-service (DoS) tests
  • Perform automated scanning at a level that could degrade site availability

If you follow these guidelines and report issues responsibly, we will treat your report as authorized, good-faith security research.

Scope notes

This page describes security practices for Verdan's marketing site. Any future product, application, or API may have additional security controls and separate documentation.

Third-party websites linked from our site are governed by their own security practices and policies.

Updates

We may update this Security page from time to time. We will post changes here and update the “Last Updated” date above.