Security & Trust
At Vervato, security is not an afterthought — it is a core architectural principle. We protect your business data with the same standards used by enterprise platforms.
CASA Tier 2 Assessment in Progress
Vervato is currently undergoing a Cloud Application Security Assessment (CASA) Tier 2 review. This is the rigorous security standard used by major platforms like Google to verify that applications handle sensitive data with enterprise-grade protections.
Frequently Asked Questions
How does Stanley protect my business data?
We use a "Defense-in-Depth" architecture. Unlike standard apps that just protect the "front door," Vervato protects the data itself. We use field-level encryption (AES-256-GCM) for your AI's "memories" and business preferences. This means even if our database were accessed, your private business rules remain unreadable "gibberish" without our secure encryption keys.
Does Vervato use my data to train AI models?
No. We do not use your proprietary business data, customer lists, or invoice details to train foundational Large Language Models (LLMs) like those from OpenAI or Google. Your data is used exclusively to provide your specific AI assistant with the context it needs to help you.
What is "PII Scrubbing" and why do you use it?
To keep your data private, we use automated PII (Personally Identifiable Information) Scrubbers. Before data is sent to an AI specialist or recorded in a system log, our code automatically looks for and redacts sensitive info like Social Security Numbers or full home addresses. We believe in Data Minimization: only the info necessary to complete a task is processed.
Is my assistant fully autonomous? Could it send a wrong invoice?
Stanley is designed with "Confirmation Boundaries." For high-stakes actions like sending invoices or making payments, Stanley is hard-coded to halt and present a draft for your review. He cannot "hallucinate" his way past your approval; you are always the final authority.
What happens if I delete my account?
We honor the "Right to Erasure." When you delete your account, we don't just mark it as hidden. We can perform a "Hard Reset" which destroys the encryption keys associated with your data, rendering it irretrievably unreadable across all our systems.
Is Vervato compliant with industry standards?
We are currently undergoing a CASA (Cloud Application Security Assessment) Tier 2 assessment. This is a rigorous security standard used by major platforms (like Google) to verify that applications handle sensitive data with enterprise-grade protections.
Technical Verification
Field-Level Encryption (AES-256-GCM)
All sensitive business logic and learned preferences are stored using AES-256-GCM authenticated encryption. Each record receives a unique initialization vector (IV) and a cryptographic authentication tag to ensure both confidentiality and integrity.
PII Redaction
Automated scrubbing technology detects and redacts Personally Identifiable Information — including email addresses, phone numbers, Social Security Numbers, and physical addresses — from internal system logs before they are written to disk.
Fail-Closed Architecture
We utilize a Fail-Closed security model, meaning our AI will refuse to process or store sensitive data if encryption services are unavailable, ensuring your data is never at risk of plaintext exposure.
Confirmation Boundaries
High-stakes operations (invoice creation, email sending, payment processing) are enforced with code-level confirmation boundaries. The AI assistant cannot bypass human approval for destructive or financial actions.
Multi-Tenant Isolation
All database queries are scoped to the authenticated user. Row-level security ensures that one user's data can never be accessed by another, even if internal identifiers are guessed.
Questions?
If you have security concerns or questions about how we protect your data, contact us at support@vervato.io.