Security

How Vectrant protects your data and your customers' data.

Infrastructure

Vectrant deploys as a fully containerized Docker stack. Each component — the application server, vector database, PostgreSQL database, Redis cache, background workers, and reverse proxy — runs in its own isolated container with defined resource limits and health checks. This architecture provides process isolation, reproducible builds, and consistent deployments across environments.

For self-hosted deployments, the entire stack runs on your own infrastructure. No data leaves your network except for outbound API calls to your configured LLM provider.

Authentication

Vectrant uses JSON Web Tokens (JWT) for stateless authentication. Tokens are cryptographically signed, time-limited, and include refresh token rotation to minimize exposure from token compromise. All authentication endpoints are rate-limited to prevent brute-force attacks.

Passwords are hashed using industry-standard algorithms before storage. Plaintext passwords are never stored or logged.

Access control

The platform implements a four-tier role-based access control (RBAC) system:

  • Admin — Full platform access including user management, system configuration, analytics, and all operational tools.
  • Agent — Access to the agent dashboard, live conversation takeover, performance metrics, and customer interaction tools.
  • Employee — Access to internal knowledge pipelines and operational information relevant to their role.
  • Customer — Access to customer-facing knowledge and product information only. Customer queries are routed through a separate pipeline that excludes internal documents.

Each API endpoint and admin page enforces role requirements through decorator-based authorization. Knowledge base content is isolated by role — customers cannot access internal documents, and custom pipelines can be restricted to specific roles.

Data protection

PII detection and redaction

Vectrant includes built-in PII (Personally Identifiable Information) detection that scans incoming messages for sensitive data patterns. Detected PII is flagged and can be redacted before processing or storage, reducing the risk of sensitive data exposure.

Input sanitization

All user inputs are sanitized before processing to prevent injection attacks, cross-site scripting (XSS), and other input-based vulnerabilities. The middleware layer validates and cleans request data before it reaches application logic.

Encryption

All data in transit is encrypted using TLS 1.2 or TLS 1.3. The Nginx reverse proxy terminates SSL/TLS connections and enforces HSTS (HTTP Strict Transport Security) headers to prevent protocol downgrade attacks. SSL certificates are automatically managed and renewed through the integrated Certbot service.

Database connections within the Docker network use internal networking. For deployments that require encrypted internal connections, PostgreSQL SSL can be configured.

Rate limiting

Vectrant implements tiered rate limiting across all API endpoints to protect against abuse and denial-of-service attempts. Rate limits are configurable per endpoint and can be adjusted based on deployment requirements. Default limits are set to balance accessibility with protection.

Audit logging

The platform maintains comprehensive audit logs of system activity, including authentication events, administrative actions, and query processing. Logs are stored locally and can be integrated with external log management systems. Background task execution is logged to a dedicated task log table with status tracking and error reporting.

Self-hosted data sovereignty

Vectrant's self-hosted deployment model means your data stays on your infrastructure. Conversation logs, knowledge base documents, product catalogs, and user data all reside in databases and file systems that you control. There is no telemetry, no data collection by Vectrant, and no dependency on external Vectrant services for platform operation.

The only external network calls made by the platform are to your configured LLM provider for response generation and to your configured embedding provider for vector search. You choose which providers to use and can review the data sent in each request.

Responsible disclosure

If you discover a security vulnerability in Vectrant, we appreciate your help in disclosing it responsibly. Please contact us with details of the vulnerability. We will acknowledge receipt, investigate the issue, and work to address it promptly.