// SECTION T0 — TRUST + SECURITY
Built to survive an OSHA audit.
And your carrier’s underwriter.
Audit-grade means you don’t take our word for it.
Vendric Labs sells software that handles consequential records. Trust signals belong in plain sight, not buried in a footer. Below: how we treat customer data, what we encrypt, who else touches the data, and what we’ve filed (or haven’t) on compliance attestations. If anything here is unclear or you need more detail than the page provides, email security@vendriclabs.net.
// SECTION T1 — DATA POSTURE
Customer data stays the customer's.
The single load-bearing claim on this page. Everything else flows from it.
// SECTION T2 — ENCRYPTION
What we encrypt, with what.
Named primitives, named purposes. If we can't say what cipher protects a class of data, we don't claim to protect it.
// SECTION T3 — COMPLIANCE ROADMAP
What's live, what's in build, and what isn't filed yet.
We won't claim a certification we haven't earned. SOC 2 Type II is the headline target — it's not in flight today, and this table will update the day we engage an auditor.
// SECTION T4 — CRYPTOGRAPHIC INFRASTRUCTURE
Industry-standard cryptography. No blockchain. No token. No hype.
Trust is established through code, not through consensus theatre. The primitives below are well-known, peer-reviewed building blocks. Application-layer specifics are provided to procurement and counsel under NDA.
// SECTION T5 — AI PROVENANCE
Model Card · what runs, what it sees, who reviews it.
Per-product Model Card summaries below. Evaluation methodology is under documentation — contact security@vendriclabs.net for current detail.
// SECTION T6 — SUBPROCESSORS
Who else touches customer data.
Three vendors. Each one named, each one scoped. If we add a new subprocessor we will list it here before it begins processing customer data.
// SECTION T7 — DISCLOSURE
If you find a vulnerability, we want to hear about it.
No bounty program today. Honest acknowledgement and a public credit on a hardening writeup once fixed.
Vendric Labs is solo-founded today. We aim to respond promptly; we will not put a hard SLA in writing until we can guarantee it.
- · Don’t exfiltrate customer data while testing.
- · Give us reasonable time to fix before public disclosure.
- · Don’t use social-engineering or physical attacks against staff.
- · Don’t test denial-of-service.
// SECTION T8 — ARTIFACTS
Download what you need.
No login wall. No NDA wall. If something is wrong or stale, that's a bug — email security@vendriclabs.net.
// SECTION T9 — A NOTE FROM THE FOUNDER
“A page that promises trust isn’t trust. The only trust signal that survives contact with an actual incident is the one you can verify yourself — without our cooperation, without our keys, without our help.”
Vendric Labs is solo-founded today. This page intentionally lists what we have built and what we have not. We won’t put an SLA in writing until we can guarantee it, and we won’t claim a certification we haven’t earned. If anything here reads as marketing instead of substantiation, that’s a bug. Tell me directly.