Audit chain · live since 2026-05-22 · verifyvendriclabs.net43.6150° N · 116.2023° WMMXXVI

// SECTION T0TRUST + SECURITY

Built to survive an OSHA audit.
And your carrier’s underwriter.

Audit-grade means you don’t take our word for it.

Vendric Labs sells software that handles consequential records. Trust signals belong in plain sight, not buried in a footer. Below: how we treat customer data, what we encrypt, who else touches the data, and what we’ve filed (or haven’t) on compliance attestations. If anything here is unclear or you need more detail than the page provides, email security@vendriclabs.net.

Your submissions used to train models?
No.
Encryption at rest
AES-256-GCM
Encryption in transit
TLS 1.3
Audit chain
Live since 2026-05-22
SOC 2 Type II
Planned · H2 2026
Security contact
security@vendriclabs.net
Read Security Overview →Email security@vendriclabs.net

// SECTION T1DATA POSTURE

Customer data stays the customer's.

The single load-bearing claim on this page. Everything else flows from it.

Your submissions are not training data.

We don't fine-tune any model on customer photos, incident records, or chat transcripts. We don't opt into vendor training-data programs on the inference endpoints we call. Our forward-looking training corpus is de-identified public regulatory data only (OSHA citations, 29 CFR text, court filings) — we cannot promise your company has never appeared in a public OSHA record, because that record is public the moment it's filed.

Strict tenant isolation.

Each Reeve tenant has its own verification key, its own storage scope, and its own audit chain. Cross-tenant inference is architecturally impossible — not just policy-prohibited.

Yours to export.

Records will export with a cryptographic proof on the Q3 2026 roadmap. The audit chain is verifiable without our cooperation once you hold your tenant's verification key.

Yours to delete.

Customer-initiated deletion is supported. Request via security@vendriclabs.net for current scope and timing — we will document the deletion event into the audit chain so it remains verifiable.

// SECTION T2ENCRYPTION

What we encrypt, with what.

Named primitives, named purposes. If we can't say what cipher protects a class of data, we don't claim to protect it.

At rest
AES-256-GCM via Azure Storage Service Encryption.
In transit
TLS 1.3 between client, edge, and origin.
Audit chain
Authenticated per-tenant audit chain. Verification keys available to customers on request via security@vendriclabs.net.
Future export proofs
Tamper-evident selective export of records on the Q3 2026 roadmap. Carrier-facing record exchange and compliance-proof workflows on the longer roadmap. Cryptographic detail provided under NDA.

// SECTION T3COMPLIANCE ROADMAP

What's live, what's in build, and what isn't filed yet.

We won't claim a certification we haven't earned. SOC 2 Type II is the headline target — it's not in flight today, and this table will update the day we engage an auditor.

Audit chain
Live
2026-05-22
Tenant data isolation
Live
2026-05-22
Verification keys (partner access)
Live
2026-05-22
Trust + Security page
Live
2026-05-24
Documented vulnerability disclosure
Live
2026-05-24
Selective subpoena export
In build
Q3 2026
SOC 2 Type I (interim)
Planned
H2 2026
SOC 2 Type II (target)
Planned
H2 2026 → 12-month observation
Compliance proofs
Design
Q4 2026
Carrier-facing record exchange
Pilot
2027

Last reviewed 2026-05-24. We update this table when status changes.

// SECTION T4CRYPTOGRAPHIC INFRASTRUCTURE

Industry-standard cryptography. No blockchain. No token. No hype.

Trust is established through code, not through consensus theatre. The primitives below are well-known, peer-reviewed building blocks. Application-layer specifics are provided to procurement and counsel under NDA.

AES-256-GCM

Data at rest

Customer records, photos, and audit-chain artifacts at rest in Azure storage. Authenticated encryption — not just confidentiality.

TLS 1.3

Data in transit

Modern cipher suites with forward secrecy via ECDHE.

Per-tenant audit chain

Tamper-evident record integrity

Every consequential event is canonicalized and signed under a per-tenant verification key. The chain is verifiable independently of Vendric Labs once a customer or auditor holds the key. Cryptographic detail is provided under NDA.

// SECTION T5AI PROVENANCE

Model Card · what runs, what it sees, who reviews it.

Per-product Model Card summaries below. Evaluation methodology is under documentation — contact security@vendriclabs.net for current detail.

Reeve

Photo-to-hazard analysis + 29 CFR 1926 citation grounding

Model
Anthropic Claude Sonnet (4.x family)
What it sees
Construction-site photos and OSHA-rule text the customer submits. No persistent fine-tuning. No training opt-in.
Human-in-the-loop
Every penalty-bearing output is reviewed by the customer before submission to OSHA. The system drafts; the GC signs.
Vendric (pre-launch)

Local-first personal AI with persistent identity

Model
Local model on the user's machine. No vendor inference endpoint involved.
What it sees
Conversations never leave the user's machine.
Human-in-the-loop
The user is the loop. Vendric does not act on their behalf without explicit instruction.
Read Model Card →

// SECTION T6SUBPROCESSORS

Who else touches customer data.

Three vendors. Each one named, each one scoped. If we add a new subprocessor we will list it here before it begins processing customer data.

Microsoft Azure
Reeve product hosting + storage
All Reeve customer data: incident records, photos, audit chain, citation index, verification keys.
US regions
Netlify
Marketing site hosting (vendriclabs.net)
Inbound email addresses captured via marketing forms. No customer record data.
US (Netlify Edge)
Anthropic
AI inference (vision + reasoning)
Construction-site photos and OSHA-related text passed in for hazard analysis and citation grounding. We do not opt into vendor training-data programs on the endpoints we call.
Anthropic-managed inference (US)
Read Subprocessor List →

// SECTION T7DISCLOSURE

If you find a vulnerability, we want to hear about it.

No bounty program today. Honest acknowledgement and a public credit on a hardening writeup once fixed.

Email
security@vendriclabs.net

Vendric Labs is solo-founded today. We aim to respond promptly; we will not put a hard SLA in writing until we can guarantee it.

What we ask
  • · Don’t exfiltrate customer data while testing.
  • · Give us reasonable time to fix before public disclosure.
  • · Don’t use social-engineering or physical attacks against staff.
  • · Don’t test denial-of-service.

// SECTION T8ARTIFACTS

Download what you need.

No login wall. No NDA wall. If something is wrong or stale, that's a bug — email security@vendriclabs.net.

DOCUMENT · READ ONLINE

Security Overview

Summary of data posture, encryption, infrastructure, and current compliance status. The reference document for procurement. PDF download on the page.

Read →
DOCUMENT · READ ONLINE

Model Card

Per-product AI provenance: which model, what data it sees, human-review checkpoints. PDF download on the page.

Read →
DOCUMENT · READ ONLINE

Subprocessor List

Named vendors, data they touch, regions. Updated when the list changes. PDF download on the page.

Read →

// SECTION T9A NOTE FROM THE FOUNDER

“A page that promises trust isn’t trust. The only trust signal that survives contact with an actual incident is the one you can verify yourself — without our cooperation, without our keys, without our help.”

Vendric Labs is solo-founded today. This page intentionally lists what we have built and what we have not. We won’t put an SLA in writing until we can guarantee it, and we won’t claim a certification we haven’t earned. If anything here reads as marketing instead of substantiation, that’s a bug. Tell me directly.

— Taylor Marr, founder · taylormarr@vendriclabs.net