Compliance Framework

VEKTOR Memory's security, legal, and regulatory status. Updated in real-time as we complete certifications and expand coverage.

Local-first architecture ✓ Implemented

Zero cloud storage of customer data. Memories live on your infrastructure only. Encryption by architecture, not policy.

SQLite database local. ONNX embeddings local. AES-256-GCM vault encryption. TLS 1.2+ for all external calls.

Data Processing Agreement (DPA) In Progress

GDPR requires a signed DPA for any processor of personal data. Currently available on request; full template coming Q3 2026.

Timeline: Q3 2026 — Full signed GDPR DPA, sub-processor list, audit rights built-in.

Service Level Agreements (SLAs) In Progress

Enterprise customers require uptime guarantees, incident response timelines, and SLA credits. Target: 99.5% uptime for enterprise tier.

Target SLA: 99.5% monthly uptime. P0 response: 1 hour. P1: 4 hours. Monitoring live Q3 2026.

SOC 2 Type I In Progress

Security audit certification covering trust service criteria (availability, security, confidentiality, privacy). In preparation; audit begins Q3 2026.

Audit start: Q3 2026. Report available: Q4 2026. Type II observation: Q4 2026 – Q4 2027.

Business Associate Agreement (BAA) Planned Q4 2026

HIPAA requires a BAA for any vendor touching health data. Coming late 2026 for healthcare customers.

Status: Template in development. Available Q4 2026 for healthcare/life sciences customers.

Sub-processor transparency In Progress

GDPR requires customers to be notified of and able to object to sub-processors. Full list with change notification coming Q3 2026.

Current: Stripe, Cloudflare, managed cloud provider. Change notification: 30 days before new sub-processor.

Enterprise Compliance Questions?

For custom agreements, audit requests, or compliance discussions, contact our legal team.

[email protected]

Compliance Roadmap

Timeline for certifications, agreements, and compliance enhancements.

Q2 2026
(Now)

Pre-SOC 2 Security Review

Internal controls documentation complete. Incident response SLA defined. Audit-ready controls in place.

Q3 2026

SOC 2 Type I Audit

Independent security audit begins. Signed GDPR DPA released. Sub-processor list formalized. SLA monitoring dashboard live.

Q4 2026

SOC 2 Type I Report + BAA

SOC 2 Type I report available. Type II observation period begins. HIPAA BAA template released. Enterprise Agreement template finalized.

Q1 2027

CCPA Compliance

Full CCPA section added to Privacy Policy. California consumer rights workflow documented. Audit trail for deletion requests complete.

Q4 2027

SOC 2 Type II + ISO 27001

SOC 2 Type II report released (12 months of observation). ISO 27001 certification begins. Data residency controls for VEKTOR Cloud tier.

2028

Full Enterprise Suite

ISO 27001 certified. All major frameworks complete. Compliance coverage extends to healthcare, finance, government procurement tiers.

GDPR & Data Processing Agreement

For customers in EU/EEA and anyone processing EU resident data.

GDPR Compliance Status ✓ Implemented

VEKTOR processes minimal personal data (email, licence timestamp only). Local-first architecture means customer memory data is out of GDPR scope.

• Email address: Contract performance
• Activation timestamp: Abuse detection
• Memory data: Your control (no VEKTOR processing)

Signed GDPR DPA In Progress

EU law requires a signed Data Processing Agreement. Available now on request under NDA; full published DPA coming Q3 2026.

Contact: [email protected]
Expected Q3 2026: Standard GDPR DPA, SCCs, audit rights, data subject rights assistance.

Data Subject Rights ✓ Implemented

Right to access, delete, port, and correct. Deletion takes 30 days. Memory data is already yours and fully portable (SQLite).

Email [email protected] with "Data Subject Request" to exercise any right. Response in 30 days.

International Data Transfers In Progress

If VEKTOR Cloud tier processes EU data in US infrastructure, Standard Contractual Clauses (SCCs) will be in place by Q4 2026.

• Local VEKTOR: No transfers
• VEKTOR Cloud EU: Data stays in EU
• VEKTOR Cloud US: SCCs + adequacy mechanism

Need a signed GDPR DPA?

Contact us to discuss your requirements or sign our standard DPA under NDA.

Request DPA

HIPAA & Business Associate Agreement

For healthcare, life sciences, and anyone processing Protected Health Information (PHI).

HIPAA BAA Status Planned Q4 2026

HIPAA law requires a signed BAA for any vendor touching PHI. Template in development; available Q4 2026 for healthcare customers.

Current status: Requirements gathering. Estimated release: Q4 2026.
For urgent healthcare use: Contact [email protected] for interim arrangements.

HIPAA-relevant controls ✓ Implemented

Access controls, encryption, audit logging, and incident response already in place. BAA formalizes these obligations.

• AES-256-GCM encryption
• SSH key-only access
• Audit trail of all operations
• Incident response SLA
• Business continuity plan

PHI data handling ✓ Implemented

If using VEKTOR in healthcare context, PHI stays on your infrastructure (local-first). VEKTOR has no access to health data.

PHI in VEKTOR = stays on your servers. VEKTOR cannot see, proxy, or process it. Your responsibility to secure transport to LLM providers.

Breach notification ✓ Implemented

If VEKTOR infrastructure is breached, you will be notified within 72 hours per HIPAA timeline. Breach of your local memory data is your responsibility.

HIPAA notification: 72 hours. VEKTOR infrastructure: Zero customer PHI stored. Your servers: Your security responsibility.

Healthcare or life sciences?

We can discuss HIPAA readiness and interim arrangements today. BAA will be available Q4 2026.

Discuss Healthcare Use

CCPA / California Privacy Rights

For California residents and customers subject to California Consumer Privacy Act.

CCPA Coverage Planned Q1 2027

CCPA applies to California residents. Currently not explicitly covered in Privacy Policy; full CCPA section coming Q1 2027.

California Privacy Rights Act (CPRA) enhancement also planned. Full update: Q1 2027.

Consumer rights In Progress

Right to know, delete, correct, opt-out. Coming Q1 2027 with dedicated workflow and audit trail for requests.

• Right to know: Access your data
• Right to delete: Remove licence record
• Right to correct: Update email
• Opt-out: No selling (we don't sell data)

California resident contact ✓ Implemented

California residents can exercise rights by emailing [email protected] with proof of residency. Response in 30 days.

Email: [email protected]
Subject: "California Privacy Request"
Response SLA: 30 days

SOC 2 Certification

Security audit covering trust service criteria: security, availability, confidentiality, privacy, processing integrity.

SOC 2 Type I In Progress

Independent audit of VEKTOR's security controls over a short period. Audit begins Q3 2026; report available Q4 2026.

Audit scope: All trust service criteria (CC, A1, PI, C1, P1). Auditor: TBA. Timeline: Q3–Q4 2026.

SOC 2 Type II Planned 2027

Type II requires 12 months of observation. Observation period begins Q4 2026 after Type I; report available Q4 2027.

Observation period: Q4 2026 – Q4 2027. Report release: Q4 2027. Enterprise procurement requirement: Type II required for most deals.

Trust Service Criteria ✓ Implemented

All five criteria partially or fully implemented. Full list in Security page. Summary: encryption, key access controls, audit logging, incident response.

See Security page for full control matrix.

ISO 27001 Certification

Information security management system certification. Under consideration; timeline TBD.

ISO 27001 Status Under Consideration

ISO 27001 is a rigorous information security framework. Evaluation underway for whether formal certification is necessary vs. SOC 2 + other frameworks.

Assessment: Do enterprise customers need ISO 27001 specifically, or is SOC 2 Type II + GDPR DPA sufficient?
Decision: Q3 2026. If approved, timeline: 2027–2028.

Service Level Agreements (SLAs)

Uptime guarantees and incident response commitments for enterprise customers.

Enterprise uptime SLA In Progress

Target: 99.5% monthly uptime for enterprise tier. Monitoring and incident response SLAs in place; formal SLA terms coming Q3 2026.

Target: 99.5% uptime (≤43 min downtime/month)
Credits: 10% monthly fee per 1% below SLA
Measurement: UTC calendar month

Incident response SLA ✓ Implemented

P0 (critical): 1 hour acknowledgment. P1 (high): 4 hours. P2 (medium): 24 hours. P3: Next business day.

• P0: 1 hr ACK, 4 hr mitigation target
• P1: 4 hr ACK, 24 hr mitigation target
• P2: 24 hr ACK, 72 hr resolution target
• P3: Next business day

Maintenance windows In Progress

Planned maintenance scheduled during low-traffic windows. Notification 14 days in advance. Target: no more than 4 hours/month.

Windows: Sundays 00:00–06:00 UTC
Emergency maintenance: 72 hr notice minimum
Impact: Licence validation only; local SDK unaffected

Audit Rights & Access

Enterprise customers' rights to audit VEKTOR infrastructure and security controls.

Security audit access In Progress

Enterprise customers may commission third-party security audits. VEKTOR will cooperate under NDA. Formal audit rights language coming Q3 2026.

• Self-audit: View security.html, GitHub
• Third-party: Contact compliance@ for arrangements
• VEKTOR audit: Will be SOC 2 Type I (Q4 2026)

SOC 2 report access In Progress

SOC 2 Type I report will be available to customers. Restricted access (NDA/vendor portal); full report available Q4 2026.

Type I report: Q4 2026
Access: NDA required
Type II: Q4 2027

Right to inspect Planned Q3 2026

Enterprise MSA will include right to inspect VEKTOR infrastructure documentation and security controls (under NDA). Coming Q3 2026.

Includes: Architecture docs, incident logs, patch history, access control records. Cadence: Annual or on-demand.

Data Handling & Residency

Where your data lives, how it's encrypted, and what happens if you need to move it.

Local memory storage ✓ Implemented

All customer memory data stored locally (SQLite) on your infrastructure. VEKTOR never stores or touches your memory content.

Database: SQLite (yours)
Encryption: AES-256-GCM (at your discretion)
Cloud: None by default
Egress: Zero by default

VEKTOR Cloud residency Planned 2027

Future managed VEKTOR Cloud tier will support region selection (EU, US, APAC). Data residency controls in design; launch 2027.

EU: GDPR-compliant, EU-only hosting
US: US-based infrastructure
APAC: APAC-based infrastructure (TBD)
Default: US (can be changed at signup)

Encryption at rest ✓ Implemented

Credentials vault uses AES-256-GCM. Memory database can be encrypted with full-disk encryption (your choice). In-transit: TLS 1.2+.

Vault: AES-256-GCM, machine-bound key
At rest: Your responsibility (BitLocker, FileVault, LUKS supported)
In transit: TLS 1.2+ to all providers

Data export & portability In Progress

Your memory data is SQLite (fully portable). Coming Q3 2026: formalized export SLA and assisted export service for large datasets.

Export formats: SQLite, JSON, CSV
Assisted export: Available for >1GB datasets
Timeline: Q3 2026
Cost: Included in enterprise tier

Incident Response

How VEKTOR handles security incidents and communicates with customers.

Incident classification ✓ Implemented

All incidents classified P0–P3 with corresponding response timelines. P0 (critical): 1 hour. P3 (informational): quarterly review.

P0: Active exploit, credential exposure
P1: High CVE, auth bypass
P2: Unpatched vulnerability
P3: Informational, hardening opportunity

Customer notification ✓ Implemented

If incident affects customer data, notification within 72 hours (GDPR timeline). Includes: nature, data affected, mitigation, next steps.

Timeline: 72 hours (GDPR standard)
Method: Email to registered address
Contents: Nature, data, remediation, actions
For non-GDPR: 24–48 hours target

What can be breached at VEKTOR ✓ Implemented

VEKTOR holds almost no customer data (email, activation timestamp only). Memory data is on your infrastructure — not reachable from VEKTOR servers.

Data at VEKTOR: Email, timestamp
Impact: Account access notifications, resend activation link
What's NOT at risk: Your memories, embeddings, prompts

Responsible disclosure ✓ Implemented

Security researchers can report vulnerabilities to [email protected]. 90-day disclosure window before public release.

Email: [email protected]
ACK: 48 hours
Assessment: 7 days
Disclosure: 90 days or less if publicly known

Sub-processors

Third-party services that handle customer data and their privacy practices.

Complete sub-processor list In Progress

GDPR requires notification and objection rights for sub-processors. Current list: Stripe, Cloudflare, managed cloud provider. Full formalized list Q3 2026.

Current sub-processors:
• Stripe (payment processing)
• Cloudflare (DNS/DDoS)
• Managed cloud provider (hosting)

Customer LLM providers:
• Not sub-processors (your direct contract)
• Separate privacy policies apply

Sub-processor change process Planned Q3 2026

If VEKTOR adds a new sub-processor, customers will be notified 30 days in advance with right to object. Process formalized Q3 2026.

Notification: 30 days before change
Method: Email to all customers
Objection: Contact [email protected]
Outcome: Discuss alternative or termination

Stripe ✓ Implemented

Payment processor. Handles credit card data under PCI-DSS compliance. VEKTOR never sees card numbers.

Data: Email, payment method, billing history
Certification: PCI-DSS Level 1, SOC 2 Type II
Privacy: stripe.com/privacy

Cloudflare ✓ Implemented

DNS and DDoS protection. Processes DNS queries and request logs. Standard web hosting security.

Data: DNS queries, IP addresses, request logs
Retention: 7 days for logs
Privacy: cloudflare.com/privacypolicy

Managed cloud provider ✓ Implemented

Hosts VEKTOR servers. Holds email and activation data only. Customer memory data is not in VEKTOR infrastructure.

Data: Email, timestamp, licence info
Location: [Cloud provider region]
Security: Standard enterprise hosting with backups and monitoring

Enterprise Agreement

Master Service Agreement for enterprise customers (>$50K/year).

Enterprise Agreement template Planned Q3 2026

One-page summary of enterprise terms covering SLAs, DPA inclusion, audit rights, warranties, and liability. Removes need for separate negotiations.

Includes:
• 99.5% uptime SLA
• Signed GDPR DPA
• Sub-processor list
• Audit rights
• Indemnification
• Incident response SLA

Custom MSA support ✓ Implemented

Large enterprises often require their own MSA. VEKTOR legal team can negotiate custom agreements. Contact compliance@ to discuss.

Process:
1. Customer provides draft MSA
2. VEKTOR reviews (1–2 weeks)
3. Negotiation phase (2–4 weeks typical)
4. Signed agreement

Purchase order support In Progress

Enterprises procure via PO with net-30 payment terms. Q3 2026: Full PO workflow with purchase requisition support.

Process: Customer sends PO → VEKTOR issues invoice referencing PO → Net 30 payment terms
Current: Available on request
Formalized: Q3 2026

Enterprise terms or custom MSA?

Let's discuss your requirements. Template available now; custom negotiation available starting Q3 2026.

Contact Legal

Liability & Warranty

What VEKTOR warrants and what it limits liability for.

Current warranty disclaimer ✓ Current

Terms of Service includes "AS IS" disclaimer. Enterprise customers typically require carve-outs for compliance and security.

Current: "AS IS without warranty of any kind"
Coming Q3 2026: Warranty carve-outs for enterprise tier

Enterprise warranty carve-outs Planned Q3 2026

Enterprise Agreement will explicitly warrant: compliance with law, appropriate security controls, no IP infringement, no malware.

Warranted:
• No IP infringement
• No malware
• Compliance with applicable law
• Appropriate security controls
• Honest incident disclosure

Liability cap ✓ Current

Liability capped at fees paid in last 12 months, except for indemnification and confidentiality breaches. Carve-outs per enterprise deal.

Standard cap: 12 months fees
Carve-outs: Indemnity, breach of confidentiality
IP claims: Indemnified by VEKTOR

Indemnification Planned Q3 2026

VEKTOR will indemnify you against third-party claims that VEKTOR infringes their intellectual property. Standard in Enterprise Agreement Q3 2026.

Scope: IP infringement claims
Exclusions: Customer modifications, third-party integrations
Conditions: Prompt notification, VEKTOR controls defense