Security
Your infrastructure.
Your security posture.
Vascular is a single service you deploy on your own infrastructure. Your customer data never transits our servers. Your existing security controls govern the deployment.
01
No data on our servers
Customer data stays within your infrastructure boundary. We ship software, not a data pipeline.
02
One service to secure
A single deployable unit shipped as a hardened container.
03
Identity stays with you
Vascular does not operate a user directory or issue end-user login credentials. The SDK identifies requests using an app ID, a rotatable API key provided by Vascular, and a user ID that you supply — the user ID maps to your own records. User authentication can optionally be enforced through your existing auth system.
Infrastructure
Deployment
Single service
Vascular ships as a single service — deployable as a Docker container or Kubernetes pod on your own infrastructure. There is no Vascular-operated compute that touches your customer data.
You own the runtime environment, the network boundary, and the data at rest. Your team controls how the service is deployed, scaled, and exposed on your network.
Message event tracking
Stored on your own storage
Message events — delivery, open, and interaction tracking — are written to object storage you own and operate. Currently supported: Amazon S3. Azure Blob Storage support is on the roadmap.
No event data is written to or readable from Vascular-operated storage. Your data classification policies, retention rules, and access controls apply from the point of write.
Compliance inheritance
Because Vascular runs on your infrastructure under your security controls, it inherits your existing compliance posture — including any certifications your cloud environment already holds. A SOC 2 certified AWS or Azure deployment running Vascular carries that certification boundary forward.
Data in transit
Encryption
HTTPS / HTTP2 in transit
All communication between your users' devices and your Vascular deployment is encrypted in transit over HTTPS/HTTP2. No customer data travels over unencrypted connections.
For Connect plan customers using the SFMC relay: message content transits Vascular-operated relay infrastructure over encrypted channels only. The relay is scoped exclusively to message content — no user profile data, session data, or analytics leave your environment through it.
Authentication
Frontend SDK
Web & MobileThe frontend SDK identifies requests using three values you supply: an app ID, an API key, and a user ID. The app ID and API key scope the request to your Vascular deployment. The user ID identifies which inbox to serve — it maps to your own user records and is never issued or managed by Vascular.
By default this is sufficient to serve the inbox. For applications that require requests to be verified against your own authentication system, you can configure external auth: the SDK passes your session token through to your auth service, which must validate it before Vascular serves any data.
External auth is optional but recommended for applications handling sensitive data or operating in regulated environments.
Backend SDK
Server-to-serverBackend-to-Vascular communication supports two authentication methods alongside the app key:
OAuth 2.0
Microsoft Entra ID
Pass a Microsoft Entra ID bearer token in the Authorization header. Token validation is handled by your existing Entra ID configuration — your identity provider governs access, not a shared secret.
mTLS
Certificate-based
Mutual TLS certificate authentication for environments where certificate-based trust is required or preferred. Your certificate authority governs which backends are trusted.
Both methods mean your backend never authenticates with a shared secret alone. Your identity provider or certificate authority governs access.
Software & container security
Dependency management
Automated via Dependabot
Vascular uses GitHub Dependabot to continuously monitor application dependencies for known CVEs and outdated packages. When a vulnerable or outdated dependency is detected, Dependabot automatically opens a pull request — keeping fixes in the development workflow rather than a backlog.
Dependabot is configured to scan both application-level dependencies and container base image vulnerabilities, covering the OS layer as well as the application layer.
Container images
Updated with each release
Container images are rebuilt and published with each Vascular release. Release notes document security-relevant dependency and image changes. We recommend subscribing to release notifications on GitHub to stay current on patches.
Because you pull and run the container on your own infrastructure, you control when updates are applied — updates are never pushed to your environment automatically.
Vulnerability disclosure
Coordinated disclosureTo report a vulnerability in Vascular software or infrastructure, email infor@vascular.io . We acknowledge all reports within one business day.
We follow coordinated disclosure — we ask that researchers allow reasonable time to address and release a fix before public disclosure. We will keep you informed of progress throughout.
Common security questions
Does Vascular store or process our customer data?
No. Vascular runs on your infrastructure. Customer data never leaves your environment or transits our servers.
Who controls the encryption keys for data at rest?
You do. Data at rest is encrypted by your infrastructure provider under your key management configuration.
How is network access to the service controlled?
You control it. Vascular is a service inside your network boundary. Your firewall, VPC, and network policies govern access.
Can we complete a vendor security questionnaire?
Yes. Contact us at infor@vascular.io — most answers will be "customer-controlled," which is the strongest possible answer for a regulated environment.
Do you offer a Data Processing Agreement?
Yes. Given that Vascular processes no personal data on your behalf — personal data never leaves your environment — the DPA reflects that boundary clearly.
What certifications does Vascular hold?
Vascular is deployed inside your existing certified environment, allowing your own controls, monitoring, retention, encryption, and access policies to apply.