Security

Vega handles sensitive orbital and spectrum data for satellite operators. We implement industry-standard security measures to protect your information.

Secure Communications

  • SSL/TLS Encryption - All data is encrypted via SSL/TLS when transmitted from our servers to your browser
  • Forced HTTPS - All access to the application requires HTTPS with Strict-Transport-Security headers
  • Content Security Policy - Comprehensive CSP headers protect against XSS and injection attacks

Authentication & Access Control

  • Password Security - Passwords are hashed using bcrypt with 12 stretches and checked against known compromised password databases via the Pwned Passwords API
  • Two-Factor Authentication (2FA) - Available for all accounts using one-time passwords (TOTP) with encrypted backup codes
  • Session Management - Secure session handling with HTTP-only, secure cookies and remember-me tokens
  • API Authentication - Secure token-based authentication for programmatic access with expiration controls
  • Account Lockout - Automatic account lockout after 5 failed login attempts with time-based or email unlock

Data Protection

  • Multi-Tenant Isolation - Path-based account isolation ensures your data is separate from other customers
  • Encrypted Backups - Database backups are encrypted at rest and during transfer
  • Sensitive Data Filtering - Passwords, API keys, tokens, and credentials are excluded from application logs and error reports
  • Encrypted OAuth Tokens - Third-party access tokens are encrypted at rest using Rails encrypted attributes
  • Secure Object Storage - Long-term analysis data stored in Cloudflare R2 with encryption and access controls

Payment Security

  • PCI Compliance - Payment processing handled by Stripe, a PCI-DSS Level 1 certified provider
  • No Card Storage - Credit card data never touches our servers; sent directly to Stripe
  • Secure Webhooks - Payment notifications verified using cryptographic signatures
  • Fraud Prevention - Real-time fraud detection and prevention through Stripe Radar

Infrastructure Security

  • DDoS Protection - Cloudflare protection against distributed denial-of-service attacks
  • Web Application Firewall - Cloudflare WAF filters malicious traffic and bot attacks
  • Trusted Proxies - Configured IP allowlists ensure accurate visitor IP tracking
  • Host Authorization - DNS rebinding protection prevents unauthorized access
  • Automated Backups - Daily encrypted database backups with point-in-time recovery

Privacy & Compliance

We are committed to protecting your privacy and complying with applicable data protection regulations:

  • No Data Selling - We never sell your personal information to third parties
  • GDPR Rights - EU customers have full data protection rights
  • Transparent Practices - Clear Privacy Policy and Terms of Service

Responsible Disclosure

Found a security issue? We welcome responsible disclosure from security researchers and white hat hackers.

How to Report

We offer two ways to report security vulnerabilities:

  1. Feedback Button (Preferred for most reports)

    • Click the feedback button in the bottom right corner of any page
    • Select category: "Security / privacy"
    • Provide details of the vulnerability
    • Our security team will review and respond within 24-48 hours

  2. Direct Email (For sensitive disclosures)

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact and severity assessment
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up (if you prefer another method besides email)

Our Commitment

  • We will acknowledge receipt within 24-48 hours
  • We will provide regular updates on our investigation
  • We will credit researchers who responsibly disclose vulnerabilities (if desired)
  • We will not pursue legal action against researchers who follow responsible disclosure practices

Questions About Security?

Have questions about our security practices? Contact us for more information.

Contact UsPrivacy Policy