Last updated: March 2026

Security Practices

Proviqa takes the security of your data seriously. We don't have SOC 2 or ISO 27001 certification yet — we're a young company. But we believe in transparency about what we do today and where we're headed.

Infrastructure

• Hosting: Single EU-based VPS, deployed via Kamal 2 with Docker containers behind Thruster (an HTTP/2 proxy)
• SSL/TLS: All traffic encrypted in transit via TLS 1.2+ through Cloudflare
• Database: SQLite3 with encrypted backups
• No third-party analytics: We don't use Google Analytics, Mixpanel, or any tracking scripts
• CI/CD: GitHub Actions with Brakeman security scanning on every push

Data Handling

• What we store: Vendor legal document snapshots (publicly available text), change diffs, AI-generated summaries, and your account information (email, company name, vendor list)
• What we don't store: We don't process or store your company's proprietary data, contracts, or internal documents
• AI processing: Summaries are generated via API calls to third-party LLMs. Document text is sent for analysis; we do not use your data to train models
• Data location: All data is stored and processed within the EU

Access Controls

• Authentication: Session-based authentication with secure, HTTP-only cookies
• No shared accounts: Each user has individual credentials
• Admin access: Limited to the founder; all production access is logged

Cookies

We use essential cookies only (session management). No tracking cookies, no advertising cookies, no third-party cookies. See our Privacy Policy for details.

Incident Response

In the event of a security incident:

1. We investigate and contain within 24 hours
2. We notify affected customers within 72 hours (per GDPR Art. 33/34)
3. We publish a post-incident summary

No incidents to date.

Responsible Disclosure

If you discover a security vulnerability, please report it to hello@proviqa.com. We'll acknowledge receipt within 48 hours and work with you to resolve it.

What's Next

We're working toward:

• ISO 27001 certification (target: 2027)
• Formal penetration testing program
• SOC 2 Type II (following ISO 27001)

Questions?

Contact us at hello@proviqa.com