Security Principles
Approval-gated Automation
Client-facing AI drafts are routed through human review by default. Agents approve, edit, or skip before any message reaches a client.
Role-based Access Control
Admin, broker, team lead, and agent views are strictly scoped. Each role sees only the operational data appropriate to their authority.
OAuth-first Authentication
Vesta uses provider login and connected-account permissions. Users never share inbox passwords or master credentials with the platform.
Data Minimization
Public proof pages and marketing material use aggregate, client-safe information — no names, message bodies, or private deal rows exposed.
Audit Trails
Important admin, broker, approval, and proof-package actions are recorded in immutable audit logs for accountability and compliance.
Isolated Services
Private services are kept behind localhost or intended ingress paths. Production AI routing uses the approved cloud credential path — no local Ollama exposure.
Transport and Storage
Public traffic is served over HTTPS. Production credentials are kept outside the public document root with restricted operating-system permissions. Managed providers may add their own encryption-at-rest controls for hosted systems. The database is backed up hourly with integrity checks.
Operational Controls
- Private services are kept behind localhost or intended ingress paths.
- Release signoffs check secret exposure, deployment target health, data truth, listener exposure, and configuration posture.
- Audit trails record important admin, broker, approval, and proof-package actions.
- Local Ollama services are disabled in production posture; LLM routing uses the approved cloud credential path.
- Hourly snapshot backups with 72-hour retention ensure rapid recovery from any incident.
Report a Security Issue
Please report suspected vulnerabilities, exposed data, or account-access concerns to [email protected]. Include the affected URL, steps to reproduce, and any relevant timestamps. We respond to security reports within 24 hours.