Security

Security first, because treasury data matters

Vault Brief uses public wallet data and read-only integrations to generate investor reports. The product never asks for private keys and cannot move funds.

🔒

Read-only wallet access

Vault Brief reads from public RPC endpoints (Alchemy, Dune Sim, Helius) using project-owned wallet addresses. The product holds no signing keys and cannot move funds, approve allowances, or modify on-chain state.

🔐

No private key storage

There is no signer in our code path. We never ask for seed phrases or wallet signing permissions, and no API or UI surface accepts them.

📨

Signed webhooks only

Every inbound webhook is signature-verified before any side-effect runs. Stripe events check the official HMAC header; Resend uses Svix-signed events for email tracking; Atlos USDC postbacks are HMAC-SHA256 over the raw body with timing-safe comparison.

🔑

Encrypted credentials at rest

GitHub personal access tokens are encrypted before they hit the database. Stripe customer references are opaque IDs only; no card details ever touch our servers.

🛡️

Auth and transport

TLS 1.2+ enforced end-to-end via Vercel with HSTS preload. Authentication runs on NextAuth v5 with single-host magic links (no cross-origin redirects, no callback hijacking surface). DKIM, SPF, and DMARC verified for the sending domain.

⏱️

Rate-limited surfaces

Sign-in attempts, project creation, on-demand sync, autofill lookups, and chat are all rate-limited via Upstash Redis sliding windows. Burst protection lives at the edge before any DB or LLM call.

✅

Manual review before send

Generated reports land in draft status. Nothing is sent to investors until you click "Send". The sender drawer shows recipient list, edited markdown, and PDF preview side-by-side.

🧾

Audit-friendly data layer

Treasury snapshots are append-only. Every report references the exact snapshot it was generated from, and every webhook event is idempotently logged (Stripe events, Atlos events). Numbers in the AI narrative are validated against the source snapshot at generation time — no fabricated figures.

Report a vulnerability

If you discover a security issue, contact security@vaultbrief.io with a clear description and reproduction steps.