Trust

Last updated: May 10, 2026

VNet IQ holds Reader-only access to your Azure environments. We treat that access seriously. This page summarises how we test our own systems, what we've found, and what we've shipped against those findings.

How we audit ourselves

• Internal codebase audit run May 9, 2026 — full coverage of API, frontend, infrastructure, and billing.
• Findings are prioritised via a 5-advisor LLM Council methodology plus peer review — we use the same prioritization rigor an external firm would.
• Every fix lands as a reviewable PR in our public commit log at our GitHub repo.
• Continuous: every PR runs Row-Level Security regression tests in CI before merge.

What we've shipped against findings

Reliability

• Auto-extending sync history partitions, graceful drain on background workers, and atomic billing webhook handling so no run or charge gets lost mid-deploy. See Changelog for per-fix detail.

Security and privacy

• HTTP hardening across the API (HSTS, X-Frame-Options, Content Security Policy, body-size caps).
• Role-based authorization on every mutation handler, so members can't perform actions reserved for owners or admins.
• A separate database role for cron and scheduler workloads — defence-in-depth on top of Row-Level Security.
• Unique billing-subscription index plus a freshness check on Paddle webhook signatures, so duplicate or replayed events can't mutate a workspace's plan.
• See Changelog for granular detail and Security for the full posture.

Billing accuracy

• Multi-line subscription resolution, faster past-due notifications, and late-event protection on canceled subscriptions. See Changelog for per-fix detail.

UX polish

• Consistent error envelope across the API, no setState-during-render flicker, and faster MSAL ready on first load. See Changelog for per-fix detail.

Where we're not finished

• Production Paddle setup is in flight — we're sandbox-only until our trial program transitions.
• A backup and restore drill is scheduled before our first paying customer.
• A customer-facing Data Processing Agreement is being finalised — contact us if you need an early copy.

How to reach us about security

• Vulnerability reports: [email protected] (also published in /.well-known/security.txt per RFC 9116).
• General questions: [email protected].
• For the full security overview see Security; for data handling specifics see Privacy.