Security & control

Security & control overview

Your organization stays the controller. Vantage is the processor under a DPA. Every architectural choice serves that posture.

Data ownership and processing

Your organization is the data controller under the Data Processing Agreement we sign with every customer. Vantage Inc. is the processor. We act only on documented instructions from your organization. We do not sell, rent, lease, or share customer data with any third party for advertising, analytics, or model training.

Where data lives

Production data lives in AWS us-east-1 by default. Application data is isolated by tenant via Postgres row-level security and org-prefixed object storage paths. Other regions are available on request for organizations with data-residency requirements.

Device authentication

Each enrolled macOS device authenticates with mutual TLS using a per-device certificate issued at enrollment. The agent never holds long-lived cloud credentials. Token revocation is immediate from the operator console.

Tiered retention

Every data class has an expiry that your organization sets:

Operator access

All operator access is logged in an append-only, hash-chained audit log. The log records who accessed which device's record, when, from which IP, and what action was taken. Audit log entries are tamper-evident — any modification breaks the chain.

What Vantage does not capture

By design and by entitlement:

Compliance posture

SOC 2 Type I control design is in progress with a target Q4 2026 readiness window. We frame this honestly — we do not claim controls we have not implemented.

Vantage supports deployments for organizations with sector-specific compliance requirements (HR data, regulated industries, education) — executed through the DPA and customer agreement, with template policy language we provide.

Disclosure and acceptable use

Vantage is deployed openly. The agent has no menu-bar UI by default — not to hide, but to avoid interrupting work. Disclosure to end-users is the organization's responsibility, executed through your acceptable-use policy or workplace handbook. We provide template language.

Vulnerability reporting

Security researchers can report vulnerabilities to cruce.saunders@alpha.school with subject line beginning with [SEC]. We acknowledge within two business days.

DPA & sub-processor list

The Vantage Data Processing Agreement template is available for review by your counsel during pilot evaluation. Sub-processors are listed within the DPA and updated with 30 days' notice for material changes.