Security at Vormur

Security is foundational to how we build and operate. Vormur is designed from the ground up to meet the requirements of regulated financial institutions.

Last updated: May 12, 2026

Architecture Overview

Vormur operates as an automation layer on top of your existing compliance infrastructure. Customer data is processed by the Vormur application and persisted in an encrypted, US-hosted PostgreSQL database for the duration of the engagement so that completed investigations can be reviewed, audited, and re-opened. Data is encrypted in transit (TLS 1.3) and at rest (AES-256), segregated by customer, and accessible only through role-based access controls with full audit logging.

Vormur is designed to minimize risk surface: we hold customer data only as long as needed for the engagement, designated PII fields are tokenized before any payload is sent to an AI inference provider, every access to customer data is recorded in an append-only audit log, and we delete customer data from active systems within thirty (30) days of the end of the engagement.

Data Handling

Data Persistence

Customer data is persisted in Vormur's managed PostgreSQL database on US-based infrastructure for the duration of the engagement. Records are retained so that completed investigations can be reviewed, audited, and re-opened. On termination of the engagement, customer data is deleted from active systems within thirty (30) days; backup copies age out in accordance with our backup retention schedule, typically within sixty (60) days. Customers can request written confirmation of deletion.

PII Tokenization

Before customer data is sent to an AI inference provider, designated personally identifiable fields — including names, Social Security numbers, account numbers, dates of birth, and addresses — are replaced with opaque tokens generated by Vormur's tokenization service. The mapping between tokens and original identifiers is held inside Vormur's environment under the same controls as encryption keys; the AI inference provider only ever receives the tokenized form. Identifiers are re-mapped when investigation results are written back to your platform.

Encryption

Data in transit is encrypted using TLS 1.3 between Vormur and your platform, between Vormur and our AI inference providers, and between Vormur components. Data at rest in our managed PostgreSQL database is encrypted using AES-256. Encryption keys and other production secrets are held in a managed secrets store with access restricted to authorized administrators under multi-factor authentication.

Infrastructure Security

US-Based Processing

All inference and data processing occurs on US-based infrastructure, meeting data residency requirements for US financial institutions.

Encrypted Persistence

Customer data is persisted in our managed PostgreSQL database, encrypted at rest with AES-256, and deleted from active systems within 30 days of the end of the engagement.

Encrypted Communications

TLS 1.3 on all connections. Production secrets held in a managed secrets store; rotation procedures documented. No secrets in code or logs.

Audit Logging

All agent actions, routing decisions, and investigation events are recorded in an append-only audit log inside the Vormur environment, with a synchronized copy written back to your platform's audit trail where the integration supports it.

AI Model Security

Vormur's AI inference providers are contractually bound to the following commitments:

  • API data is not used for model training. Your investigation patterns and transaction data will never appear in a model that serves other customers.
  • Inference is stateless. Prompts and completions are not persisted beyond what is required for short-term abuse monitoring.
  • US-only inference is enforced, ensuring data does not leave US-based infrastructure during processing.
  • SOC 2 Type II certification is maintained by all inference providers.

Access Controls

  • All API endpoints require bearer token authentication.
  • Per-user and per-project rate limiting with sliding window enforcement.
  • Tenant isolation ensures each customer's data and configuration is fully separated.
  • Role-based access controls govern which users can view, edit, and approve investigations.

Incident Response

In the event of a security incident, Vormur will notify affected customers within 72 hours of confirmed discovery, provide a detailed assessment of impact and scope, implement containment and remediation measures, and provide a post-incident report with root cause analysis and corrective actions.

Contact

For security questions, vulnerability reports, or to request our latest security documentation, contact us at security@vormur.com.