Compliance software has to be more secure than the average.
Operators are trusting us with the records that keep their license intact. We take that seriously.
Data protection
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Database backups are encrypted and stored in geographically separate regions. Encryption keys are managed by our infrastructure provider with audited rotation.
Infrastructure
Verdaxi runs on enterprise-grade cloud infrastructure (AWS/Cloudflare) in US regions only. Customer data does not leave the United States. We use logical multi-tenancy with strict org_id scoping enforced at every database query — never trust input, always filter by authenticated org context.
Access controls
BetterAuth-backed session authentication with multi-factor authentication available on every account. Role-based access control with org-level and facility-level scoping. SSO and SCIM available on Enterprise plans. Internal access to production systems uses SSO + hardware keys, audited per access.
Application security
Secure SDLC with code review on every change. Automated dependency scanning. Input validation with Zod on every server route. Audit log on every write — capturing user, action, before/after snapshots, IP. Rate limiting on auth and write endpoints. Regular penetration testing as the platform matures.
Compliance roadmap
SOC 2 Type II is on our 2026 roadmap. We are building toward HIPAA-aligned controls where applicable for medical cannabis operators. We will publish a list of sub-processors and a status page as part of our trust center.
Incident response
We follow a documented incident response process. Confirmed incidents that affect customer data are disclosed to affected customers within 72 hours of confirmation, and to regulatory authorities where required. Customers can subscribe to our status page (link forthcoming) for real-time service availability.
Responsible disclosure
If you believe you've found a security vulnerability in Verdaxi, please email [email protected]. We acknowledge reports within one business day, work with researchers in good faith, and credit researchers (with permission) on a security acknowledgments page once the issue is resolved.
Sub-processors
A list of the third-party services we use to operate Verdaxi and the customer data they process.
Contact security
Security questions, vulnerability disclosures, or compliance documentation requests:
[email protected]Ready to make compliance the easiest part of your week?
Join the operators using Verdaxi to walk into every inspection prepared. Start a free trial in minutes — no card required.