TRUST · COMPLIANCE + SECURITY
Procurement 검토에 필요한 trust artifacts.
Security policy · Privacy policy · Data Processing Agreement (DPA) · Data Methodology · SOC2 readiness · Sub-processors. 한곳에서 검토 가능. Enterprise 구매팀/법무팀 문의는 hello@veacon.io.
01 / Documents
5 published artifacts.
Security Policy
PublishedTLS 1.3, AES-256 at rest, hash-only API keys, 관리자 콘솔 MFA. Vercel SOC2 + Supabase SOC2 인프라.
ReadPrivacy Policy
Published한국 개인정보보호법(PIPA) + GDPR 기준. 수집 항목, 보유 기간, 제3자 제공, 국외 이전.
ReadData Processing Agreement
Beta · request PDFEnterprise 고객용 위탁 계약 초기 검토판. 정식 체결 시 PDF 별도 제공.
ReadData Methodology
Published5개 출처 매트릭스, 출처 우선순위, 갱신 주기, 검증 방법, 알려진 한계. 실사 단계 사전 답변.
Read02 / SOC2 Readiness
정직하게. 현재 위치 + 로드맵.
SOC2 Type II 인증은 아직 보유하지 않습니다. 보유 인프라 (Vercel · Supabase) 는 SOC2 Type II 환경이지만, Veacon 자체 audit 은 첫 5 paying enterprise customer 신호 후 Drata/Vanta 통한 개시 예정 (2026-Q4 Type I, 2027-Q2 Type II). 그 전까지의 control coverage 는 아래 표.
| 영역 | Control | 상태 | Evidence |
|---|---|---|---|
| Security | TLS 1.3 in transit, AES-256 at rest | Covered | Vercel + Supabase platform default; verifiable via SSL Labs / DB inspection |
| Security | API key hash storage (no plaintext) | Covered | ADR-013 P5; intel.api_keys.key_hash BYTEA SHA-256 |
| Security | Per-key IP allowlist (CIDR enforcement) | Covered | authenticate_api_key_v3 + Settings · API Access UI |
| Security | Audit log of key lifecycle (issued/rotated/revoked) | Covered | intel.api_key_audit_log + /dashboard/audit |
| Security | Webhook signature verification (HMAC-SHA256) | Covered | P10 lib/webhook-delivery.js + signature in /dashboard/webhooks |
| Availability | Public uptime page | Covered | /status with 30s polling + edge-cached probes |
| Availability | Error tracking + alerting (Sentry) | Covered | P8 — sentry.{client,server,edge}.config.ts; DSN-gated, scrubs auth headers |
| Availability | 7-day uptime SLA tracking + historical reporting | Planned | Cohort 1 traffic = first dataset for SLA history; ETA 2026-Q3 |
| Confidentiality | Privileged-credential separation (service_role vs API) | Covered | service_role only on intel.* RPCs; public.veacon_* exposed surface gated |
| Confidentiality | Sub-processor disclosure (DPA + below) | Covered | /dpa Article 4 + /trust#sub-processors table |
| Processing Integrity | Honest data boundary disclosure (Layer 1 envelope) | Covered | ADR-015; every /api/v1/real-estate/* response carries _meta envelope |
| Processing Integrity | Multi-source confidence scoring (Layer 3) | Covered | ADR-015 Layer 3; relative_spread × distinct_sources × sample_count formula |
| Privacy | Korean PIPA + GDPR-aligned privacy policy | Covered | /privacy v1.0.0-beta |
| Privacy | Data residency disclosure (Korea / abroad) | Covered | /privacy Article 6 (국외 이전) + sub-processors region column below |
| SOC2 Type II audit | Formal Type II audit (Drata / Vanta + auditor) | In progress | Roadmap: Type I 2026-Q4, Type II 2027-Q2. Gated on first 5 paying enterprise customers |
13 / 15 controls 가 운영 중. 1 in-progress (formal SOC2 audit), 1 planned (SLA history). Enterprise procurement 에서 추가 evidence 가 필요한 항목은 hello@veacon.io 로 요청.
03 / Sub-processors
재수탁사 (3rd-party processors).
개인정보 처리방침 제5조 + DPA 제4조에 따라 사용 중인 3rd-party processor 전체. 각 처리자의 자체 DPA 와 region/certification 명시.
| Processor | 목적 | Data scope | Region | Certifications |
|---|---|---|---|---|
| Vercel | Web hosting + serverless function execution + CDN | API request payload + response (transient — not stored) | Global edge (Seoul ICN edge for Korean traffic) | SOC2 Type II · ISO 27001 · GDPR · CCPA |
| Supabase | Postgres database + authentication | Customer account, API keys (hashed), call logs, real-estate aggregate data | AWS ap-northeast-2 (Seoul ICN) | SOC2 Type II · HIPAA-ready · GDPR |
| Stripe | Subscription + payment processing | Customer email, payment method (Stripe-tokenized; Veacon never sees raw) | Global (Stripe US/EU/JP infra; transactions routed by region) | PCI DSS Level 1 · SOC1/2 Type II · ISO 27001 |
| Upstash | Rate limit sliding window state (Redis) | API key id (hashed) + sliding window counters; no PII | AWS ap-northeast-1 (Tokyo) | SOC2 Type II · GDPR |
| Sentry | Error tracking + APM | Stack traces + scrubbed request metadata (X-API-Key/Authorization/Cookie removed before send) | US (Sentry SaaS) | SOC2 Type II · ISO 27001 · GDPR · HIPAA |
재수탁사 변경 시 14일 전 사전 공지 (DPA 제4조 3항). 변경 사항은 본 페이지와 changelog 에 반영됩니다. Stripe / Sentry 등 미국 region processor 의 경우 한국 PIPA 국외 이전 동의 절차가 가입 시 명시적으로 적용됩니다 (Privacy Policy 제6조 참조).
PROCUREMENT · COMPLIANCE INQUIRY
추가 evidence / 협의 필요?
Procurement 팀의 specific control 검증, vendor security questionnaire (VSAQ / SIG / CAIQ) 응답, 정식 DPA PDF 체결, vulnerability disclosure 보고. 모두 환영합니다.