# Trust & Security Page

URL: https://fairvisor.com/security/

---


 Built for paranoid engineers Fairvisor is designed with a minimal trust surface. Your traffic data never touches our servers. Your edge runs on your infrastructure. Here's exactly how security works.
Talk to the team Data Protection Aspect Detail Data in transit TLS 1.2+ required, mTLS optional Data at rest AES-256 encryption (SaaS database) Policy bundles HMAC-SHA256 signed, tamper-detected at edge EDGE_TOKEN Rotatable, scoped to single edge instance JWT validation Configurable algorithms (RS256, ES256), JWKS auto-refresh Secrets in policies Never stored in policy bundles — referenced, not embedded Access Control Role Permissions Viewer Read policies, view analytics, view audit log Editor Create/edit policies (draft only) Operator Deploy policies, activate kill-switch, manage edges Admin Manage users, roles, integrations Billing Manage subscription, view invoices Super Admin All permissions, manage SSO, approval workflows Compliance SOC 2 Type II — control mapping provided (CC6.1, CC6.3, CC7.2, CC7.3, CC7.4, CC8.1) GDPR — edge processes data in your infrastructure, SaaS receives only aggregated metadata Data residency — edge data stays in your infrastructure, SaaS region configurable (US/EU) Audit log — immutable, exportable, indefinite retention (Enterprise) MFA — supported at login for all SaaS accounts Supply Chain & Build Integrity SBOM — generated for every runtime and CLI image on release Image signing — release images are signed with provenance attestations Vulnerability gate — releases are blocked on HIGH or CRITICAL CVEs in container images Nightly scan — automated vulnerability scan runs nightly against published images Operational Security Readiness Security controls must be operable under incident pressure, not just documented.
Runbooks: reject spike, SaaS disconnect, bad bundle rollback, budget exhaustion — Runbooks Operations hub: consolidated incident handling and reliability controls — Operations Hub SLO/alert baseline: pre-defined checks for no_bundle_loaded, reject spikes, descriptor mismatches, SaaS reachability — SLO and Alerting Responsible Disclosure If you find a security vulnerability, please report it to security@fairvisor.com. We commit to:
Acknowledge within 24 hours Provide an initial assessment within 72 hours No legal action against good-faith reporters Credit in our security advisories (if desired) Questions about our security model? Talk to the team