Data Protection
Vantage implements multiple layers of data protection to secure your account, credentials, and business data.
Authentication Security
Password Protection
- Passwords require a minimum of 8 characters
- Passwords are hashed before storage — plain text passwords are never stored
- Password changes require confirmation of the current password
- Password reset uses secure email-based token verification
Two-Factor Authentication (2FA)
Two additional verification methods add security beyond passwords:
| Method | How It Works |
|---|---|
| Email Code | A verification code is sent to your registered email on each login |
| Authenticator App (TOTP) | Time-based one-time passwords generated by Google Authenticator, Authy, or similar apps |
Disabling 2FA requires password confirmation as a safeguard.
Passkeys (WebAuthn)
Passkeys provide the strongest authentication:
- Biometric login — Face ID, Touch ID, or fingerprint
- Hardware security keys — FIDO2/WebAuthn compatible devices
- No passwords — Passkey authentication eliminates password-based attacks
- Device-specific — Each passkey is tied to a specific device and can be managed individually
Credential Security
Integration credentials (API keys, database passwords, OAuth tokens) are protected through:
| Protection | Description |
|---|---|
| Encryption at rest | Credentials are encrypted in the database |
| Company isolation | Credentials are scoped to a specific company and invisible to other companies |
| Secure display | Sensitive values are masked in the UI by default |
| Access control | Only users with manage_integrations permission can create or modify credentials |
Payment Security
All payment processing is handled by Stripe:
- Vantage never stores credit card information
- Payment details are entered directly into Stripe's secure checkout modal
- Transactions are confirmed via Stripe webhooks
- PCI compliance is handled entirely by Stripe
Data Isolation
| Level | What's Protected |
|---|---|
| Platform | All data is served over HTTPS |
| Company | Dashboards, workflows, integrations, and user data are isolated per company |
| Organization | Cross-company sharing requires explicit admin configuration |
| User | Personal dashboards, 2FA settings, passkeys, and session data are user-specific |
Session Security
- Sessions are managed with secure, httpOnly cookies
- Session tokens are rotated automatically
- Sessions expire after a configurable period of inactivity
- Organization and company context are embedded in the session
Domain Restrictions
Organization admins can restrict integration connections to approved domains only:
- Settings → Organization → Integration Settings
- Add allowed domains
- Integrations from unauthorized domains are blocked
Best Practices
- Enable 2FA on all accounts, especially admin and billing accounts
- Use passkeys where supported for the strongest authentication
- Rotate credentials — Periodically update API keys and database passwords
- Review access roles — Ensure users have the minimum permissions needed
- Monitor audit logs — Regularly check for unauthorized access attempts
- Use domain restrictions — Limit which external services can connect to the platform