The things we do quietly.

Security at Vumo is unglamorous on purpose. Here is what we hold and how we hold it.

What we don't store

We store as little as possible. Two examples worth naming up front:

• +Card numbers — never. Payments go straight to Stripe; we receive only a token.
• +Plaintext passwords — never. We use one-time codes sent to email, so there’s nothing to leak.

Encryption

• +All traffic is TLS 1.3. We don’t accept anything else.
• +Data at rest is encrypted with AES-256.
• +Backups are encrypted with separate keys, held in a separate region.

Where it lives

Primary infrastructure runs on AWS in Frankfurt (eu-central-1). Backups go to Dublin (eu-west-1). Stripe handles cards in their own US/EU regions per their compliance. Email is sent through Resend (eu-central-1).

Access

• +Production access is limited to the founding team and gated behind hardware keys.
• +Every production query is logged. Logs are reviewed weekly.
• +We do not access your data unless you ask us to — for support, usually.

If something happens

If we discover a security issue that affected your account, we\u2019ll tell you within 72 hours of confirming it, with what we know and what we\u2019re doing.