Trust Center

Our security posture.
Transparent.

We practice what we build. Here's how Vimy protects your data, secures the Vimy platform, and maintains the infrastructure you depend on.

Request Security Documentation →
100% Canadian Hosting
Canadian data centres
Zero US Subprocessors
No data under US jurisdiction
Encrypted Everywhere
AES-256 at rest · TLS 1.3 in transit
Tenant Isolation
Database-per-tenant architecture
Security Practices

How we protect the platform.

Infrastructure Security

  • All Vimy infrastructure runs on Canadian data centres. No compute, storage, or processing occurs outside Canada.
  • Production environment is isolated from development and staging. Access requires MFA and is logged.
  • All infrastructure is managed as code with version-controlled configurations.

Data Encryption

  • All data encrypted at rest using AES-256.
  • All data encrypted in transit using TLS 1.3.
  • Sensitive fields (connector credentials, API keys, tokens) use application-level field encryption via CipherSweet — searchable encryption without plaintext exposure.

Tenant Isolation

  • Each tenant receives a dedicated database. No shared tables, no co-mingled data.
  • Tenant context is enforced at the middleware layer — cross-tenant queries are architecturally impossible.
  • Tenant data deletion is complete and verifiable.

Authentication & Access Control

  • MFA is enforced for all Vimy users.
  • Role-based access control with four roles: Owner, Admin, Analyst, Viewer.
  • Session management with configurable timeouts.
  • All authentication events are logged in the tenant audit log.

AI & Data Privacy

  • AI inference runs on Canadian GPUs.
  • Your data is never used to train AI models — not ours, not anyone else's.
  • AI processing is stateless — no data is retained after inference completes.
  • AI inference runs entirely on Canadian infrastructure. No security data is sent to US-based AI providers.

Agent Security

  • The Vimy agent is a lightweight Go binary that runs in user space.
  • Zero kernel access. No root privileges required.
  • The agent observes and reports only — it never executes response actions.
  • Agent-to-server communication uses HTTPS with mutual TLS.

Incident Response

  • Vimy maintains an internal incident response plan.
  • Security incidents affecting customer data will be communicated within 72 hours as required by PIPEDA.
  • Post-incident reviews are conducted for all security events.
Compliance

How we protect your data.

Compliant
PIPEDA

Vimy complies with Canada's Personal Information Protection and Electronic Documents Act. All personal information is collected, used, and stored in accordance with PIPEDA's 10 fair information principles.

Compliant
Law 25 (Quebec)

Vimy complies with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (formerly Bill 64). Privacy impact assessments are conducted for new processing activities.

Subprocessors

Who processes your data.

Subprocessor Purpose Location
Canadian cloud infrastructureCompute, managed databases, object storage, backups Primary cloud infrastructure for all Vimy services Toronto, Canada
Canadian GPU infrastructureAI inference AI-powered threat investigation and compliance reasoning Toronto, Canada
StripePayment processing Billing and subscription management only United States (billing data only)

Vimy does not use US-based cloud providers, AI APIs, or analytics services for security data processing. Billing data handled by Stripe is the sole exception.

To request an updated subprocessor list, contact [email protected].

Data Handling

Your data, your control.

Data Retention

Retention periods depend on your plan: 90 days (Sentinel), 1 year (Bastion), or custom up to 7 years (Citadel). Data is permanently deleted after the retention period expires.

Data Portability

Data exports are available by request. Exports include configuration, audit logs, detection history, and compliance evidence. Contact [email protected] to initiate an export.

Data Deletion

When you cancel your account, all tenant data — including databases, event stores, and graph data — is permanently deleted within 30 days. Deletion is complete and irreversible.

Security Research

Responsible disclosure.

We welcome security research conducted in good faith. If you discover a vulnerability in Vimy, please report it to [email protected].

We commit to acknowledging receipt within 48 hours, providing regular updates on remediation progress, and not pursuing legal action against researchers acting in good faith.

See our full Responsible Disclosure policy →
Documentation

Need more detail?

We're happy to share our security documentation, data processing agreement, or answer specific questions from your security team.

Request Documentation → View DPA
100% Canadian infrastructure Zero US subprocessors Database-per-tenant isolation