Security

Data encryption

• All data in transit is encrypted using TLS 1.2+
• Database data is encrypted at rest using AES-256
• BYODB connection strings are stored encrypted — the plaintext connection string is not logged during normal operation

Authentication

• SDK tokens are write-only — they can ingest data but cannot read any stored data
• Dashboard sessions use short-lived JWTs with httpOnly cookies

Privacy masking

• Web session replay is designed to mask known password input types by default
• Elements marked with data-sensitive are not recorded
• Replay is designed to focus on interaction events rather than recording actual input values

Responsible disclosure

• If you find a security vulnerability please email: security@vestara.dev
• We aim to respond within 48 hours

Infrastructure

• Hosted on Render (backend) and Vercel (frontend)
• Database on Neon (PostgreSQL) in EU-West (Ireland)
• Session replay blobs stored on Cloudflare R2

BYODB

• If you connect your own Neon database, your event data is stored at rest in your connected database after passing through Vestara’s ingestion pipeline
• We hold only your encrypted connection string