// SECURITY OVERVIEW · v1
Vendric Labs
Security Overview
How customer data is handled, what is encrypted, and who else touches it. Written for procurement.
1 ·POSTURE
Vendric Labs is solo-founded today, building software that handles consequential records — OSHA logs, incident reports, contractor histories. The product thesis assumes the record outlives the company that shipped it. The security posture is therefore local-first where possible, audit-grade everywhere, and built so that a customer can verify their records without our cooperation.
One load-bearing rule: customer submissions to Reeve (incident records, photos, drafted forms, chat) are never used to train any model — ours or a vendor’s. We do not opt into vendor training-data programs on the inference endpoints we call. Our forward-looking training corpus consists exclusively of de-identified public regulatory data (OSHA citations, 29 CFR text, court filings). Because those records are public the moment they’re filed, we cannot promise that incidents originally reported by a particular customer have never appeared in that public corpus.
2 ·DATA LIFECYCLE
3 ·ENCRYPTION
4 ·INFRASTRUCTURE
Reeve (live product at vendriclabs.net) runs on Microsoft Azure, US regions. All customer records, photos, verification keys, audit chain, and citation index live in Azure storage. The marketing site (vendriclabs.net) is a static Next.js build on Netlify, US edge — it does not handle product data.
Vendric (the local-first personal AI, pre-launch 2026 H2) runs on the user’s own machine; conversations never reach a Vendric Labs server.
5 ·ACCESS
Production access is currently held by the founder. Access hardening (including documented multi-factor authentication posture across consoles) is in progress. Current status available on request to security@vendriclabs.net.
6 ·COMPLIANCE ROADMAP
We will not name a SOC 2 auditor until one is engaged. We will not claim a certification status we have not earned.
7 ·SUBPROCESSORS
Three vendors touch customer data today. The full list lives in the subprocessor list (and on vendriclabs.net/trust). New subprocessors will appear on the public list before they begin processing customer data.
8 ·INCIDENT RESPONSE + DISCLOSURE
Vendric Labs is solo-founded today. We aim to respond promptly to security reports and material incidents; we will not put a hard SLA in writing until we can guarantee it. Report a vulnerability at security@vendriclabs.net.
9 ·AI HANDLING
Reeve’s photo-to-hazard analysis and citation grounding run on Anthropic Claude Sonnet (4.x family). We do not fine-tune. We do not opt into vendor training-data programs. Every penalty-bearing output is reviewed by the customer before submission to OSHA — the system drafts, the GC signs.
Full Model Card with per-product detail and human-in-the-loop checkpoints: Model Card.
“A page that promises trust isn’t trust. The only trust signal that survives contact with an actual incident is the one you can verify yourself.”
— Taylor Marr, founder