How we protect
your data.
VestaFide handles workforce data — names, phone numbers, schedules, behavioral signals, and payment information. We take the security of that data seriously. This page describes the technical and organizational measures we use to protect it.
Infrastructure
🔒 Encryption
All data in transit is encrypted using TLS 1.2 or higher. All connections to the Platform are served over HTTPS. Database connections use encrypted channels. Sensitive credentials (API keys, Twilio tokens, Stripe keys) are encrypted at rest and never stored in source code.
🏗️ Architecture
The Platform runs as a single Go binary backed by PostgreSQL. This minimalist architecture reduces attack surface — fewer moving parts mean fewer points of vulnerability. There are no unnecessary microservices, message queues, or intermediary systems that could introduce security gaps.
🔐 Authentication
User passwords are hashed using industry-standard algorithms and are never stored in plaintext. Session tokens are cryptographically generated and have configurable expiration. CSRF protection is enforced on all state-changing requests.
🛡️ Rate Limiting
All API endpoints are protected by rate limiting to prevent brute-force attacks and abuse. SMS delivery is rate-limited per phone number to prevent notification flooding. The Platform includes automatic recovery middleware that prevents a single error from cascading.
Data Protection
Access controls. Access to production systems and databases is restricted to authorized personnel on a need-to-know basis. There is no broad access to user data — each team member has access only to the systems and data necessary for their role.
Audit logging. Every significant action on the Platform produces an audit log entry — shift offers sent, offers accepted or declined, schedule changes, account modifications, and system events. Audit logs are append-only and cannot be modified or deleted. They include the actor (user or system), the action, the affected entity, and a timestamp. Logs are retained for a minimum of seven years.
Behavioral data isolation. Behavioral signals (EWMA estimates, trust scores, fairness scores) are stored separately from personally identifiable information. The flywheel engine operates on dimension keys that reference entity IDs — it does not process or store names, phone numbers, or other PII directly. If an account is deleted, behavioral signals are anonymized by removing the link to the individual's identity.
Third-party data handling. We share data with third-party service providers only as necessary to operate the Platform (see Privacy Policy, Section 3). All third-party providers are evaluated for their security practices. Payment processing is handled entirely by Stripe — VestaFide does not store credit card numbers, bank account numbers, or other payment credentials on our systems.
SMS security. Shift offers and schedule notifications are delivered via Twilio. SMS messages contain the minimum information necessary for the recipient to act (shift type, time, response instructions). Full employee details, behavioral scores, and sensitive business data are never included in SMS content.
Application Security
Input validation. All user inputs are validated on the server side. The Platform uses parameterized queries for all database operations, preventing SQL injection. User-supplied content is sanitized before rendering to prevent cross-site scripting (XSS).
Dependency management. The Platform uses Go's module system with vendored dependencies. Dependencies are reviewed before inclusion and pinned to specific versions. The dependency footprint is intentionally minimal — fewer dependencies mean a smaller surface area for supply-chain vulnerabilities.
Request tracing. Every request to the Platform receives a unique request ID. This ID is included in all log entries for that request, enabling end-to-end tracing for debugging and incident investigation without exposing user data in logs.
Incident Response
In the event of a security incident involving unauthorized access to personal data, we will notify affected users and relevant authorities within 72 hours of confirmed discovery, as required by applicable law. Notification will include the nature of the incident, the types of data affected, the steps we are taking to address it, and recommendations for affected users.
If you discover a security vulnerability in the Platform, please report it to [email protected]. We appreciate responsible disclosure and will work to address reported vulnerabilities promptly. Please do not publicly disclose vulnerabilities before giving us a reasonable opportunity to address them.
Background Checks
Gig workers who participate in the talent marketplace undergo a background check facilitated through a third-party provider. VestaFide receives only the pass/fail result of the check. We do not receive, store, or have access to the detailed contents of background check reports. The background check provider handles all data related to the check in accordance with their own privacy policy and applicable law, including the Fair Credit Reporting Act (FCRA).
Data Residency
All Platform data is stored and processed in the United States. We do not transfer user data to servers outside the United States. Our database and application infrastructure are hosted on US-based servers.
Continuous Improvement
Security is not a one-time effort. We continuously assess and improve our security posture, including reviewing access controls as the team grows, updating dependencies to address known vulnerabilities, monitoring for suspicious activity and unauthorized access attempts, and refining our incident response procedures.
Contact
If you have security concerns or questions, please contact:
VestaFide, Inc.
Email: [email protected]