Trust center · v2026-06
Security & compliance.
The channel data you upload — VAR org trees, rep emails, account ownership — is some of the most sensitive in your business. Here's exactly how we protect it.
Pillars
How your data is protected.
Encryption everywhere
Your data is encrypted in flight and at rest with industry-standard ciphers.
- TLS 1.2+ on every connection — HTTPS enforced
- Encryption at rest for the Postgres database (AES-256, managed by Supabase)
- CRM OAuth credentials encrypted at rest (AES-256-GCM, application layer)
- Secrets kept in the platform's encrypted env store — never in source control
Tenant isolation
Every query is scoped by organizationId — your data never crosses workspaces.
- Every database row carries an organizationId column
- Server-side requireOrg() guard enforces the scope on every page + action
- Composite indexes on (organizationId, …) make scoping the fast path
- No shared caches between tenants — keys include organizationId
Identity & access
Clerk-backed authentication with password security, MFA, and SSO support on every plan.
- Bcrypt password hashing (configurable strength) — handled by Clerk
- TOTP + WebAuthn / passkeys for second factor
- SAML 2.0 SSO with major IdPs (Okta, Azure AD, Google Workspace)
- SCIM 2.0 provisioning for automated joiner / mover / leaver
- Per-org roles: Admin, Member, Viewer — least-privilege by default
Audit logging
Every privileged action — sign-in, import, export, role change — is recorded.
- Immutable AuditEvent ledger per organization
- Captures actor, action, entity, IP, user agent, and JSON metadata
- Configurable retention (90 days / 1 year / indefinite)
- CSV export with full filter support for evidence collection
- PERMISSION_DENIED events for privilege-escalation attempts
Frameworks
Compliance posture, honestly stated.
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type II | In progress | In progress — security controls implemented and being documented. Not yet audited or certified. |
| GDPR | Ready | DPA available. Per-person erasure + organization-wide data-wipe tooling built into the product. (EU representative not yet appointed.) |
| CCPA / CPRA | Ready | Same erasure + portability tooling as GDPR. Privacy policy enumerates data categories. |
| ISO 27001 | In progress | On the roadmap after SOC 2 Type II — not yet started. Listed for transparency, not as a current control set. |
Documents
The document library.
Privacy policy
What we collect, why, and how we protect it — written to match how the product actually works today.
Read the documentTerms of service
The terms governing your access to and use of VAR Conduit.
Read the documentData Processing Addendum
How we process personal data on your behalf; reach out to execute a countersigned copy for procurement.
Read the documentSecurity overview one-pager
This trust center in packet form, for vendor-review and procurement files.
Available on request via security@varconduit.com
CAIQ-Lite questionnaire
A pre-filled CAIQ / SIG-Lite style self-assessment — honest gaps included.
Available on request via security@varconduit.com
Disclosure & contact
Found a vulnerability or have a compliance question? We'd rather hear from you than read about it later.
Last reviewed · June 2026