← Vitacore Forge

Privacy & Security

Security overview

Summary for IT and information security reviewers (non-exhaustive).

Encryption in transit

Public-facing web properties and APIs are served over TLS. Scan video, calibration photos, and other upload payloads travel encrypted between the customer's device and our infrastructure: the browser only sends them over HTTPS, and when uploads go directly to object storage using time-limited URLs issued by our API, those transfers also use HTTPS end-to-end. Administrative and operator tools require authenticated access over the same encrypted channels.

Encryption at rest

Primary databases and object storage rely on platform-level encryption at rest provided by our cloud vendors. Backup and archival copies inherit those providers' default protections.

Separation of identity and scan data: we store your name and other personal data separately from scan video, photographs, and derived 3D outputs. They are not commingled in a single identifiable bundle, so scan media is not stored alongside direct identifiers in a way that would associate them within our systems.

Access control

  • End users access scan and order flows through session-based or token-based mechanisms tied to their purchase or invitation.
  • Internal operators use role-based admin accounts; permissions limit who can view scans, production data, and system configuration.
  • Infrastructure credentials and secrets are not embedded in client-side code; server-side configuration and secret stores are used for production.

Network and application security

The public API is exposed only over HTTPS with standard hardening (e.g., security headers, rate-limiting and abuse controls where appropriate). Background job workers and compute instances that process 3D assets are not directly reachable from the public internet; they communicate with core services through private networking or authenticated service paths.

Logging and monitoring

Application and infrastructure logs support troubleshooting, security monitoring, and audit trails. Access to logs is restricted to authorized personnel. We avoid logging sensitive payload bodies where feasible.

Vulnerability management

Dependencies are updated on a regular cadence; critical patches are prioritized. Responsible disclosure and security inquiries may be sent to privacy@vitacore.com (subject: Security).

Formal attestations

This page is a high-level description, not a substitute for a completed questionnaire (e.g., SIG, CAIQ) or a third-party audit report. We can provide additional detail under NDA for enterprise evaluations.