VNDLYVNDLY
Get Started

Security & Architecture

VNDLY sits at the operational core of your business. We know that trust is the absolute highest currency, which is why we built our architecture to ensure your data is isolated, encrypted, and protected.

1. Integration API Tokens

Whether you are connecting Shopify, WooCommerce, Xero, or other external systems, API tokens are a critical attack vector. At VNDLY, API tokens are never stored in plain text.

  • We use AES-256-GCM to encrypt all access tokens before they touch the database.
  • The encryption utilizes a secure initialization vector (IV) and an auth tag for validation.
  • The master decryption key only exists as a secured environment variable on the server memory.
  • Even if someone were to gain read access to the database, the tokens are completely unusable without the server-side memory key.

2. AI Data Boundaries (BYOK)

Inventory platforms hold highly sensitive business information—sales volumes, supplier details, and margins. A major concern for many businesses is feeding this data into a monolithic, centralized AI provider that might train models on their proprietary metrics.

To solve this, VNDLY uses a Bring Your Own Key (BYOK) architecture:

  • VNDLY does not have a central OpenAI or Anthropic account that ingests all tenant data.
  • You provide your own API key (which is AES-256 encrypted in our database).
  • When you use the AI assistant, the request executes using your key directly to the provider.
  • We do not train our own models on your data.
  • Because you use your own key, you retain the data privacy agreements provided by OpenAI/Anthropic for API users, which explicitly state that API data is not used for model training.

3. Strict Tenant Data Isolation

VNDLY is a multi-tenant platform, but your data is cryptographically separated from all other users.

  • We use PostgreSQL Row Level Security (RLS) policies enforced at the database level.
  • Every single query automatically enforces a strict boundary based on your active session.
  • It is mathematically impossible for a query executed by one company's user to retrieve records belonging to another company.

4. Infrastructure & Backups

Our infrastructure is hosted on enterprise-grade cloud providers. We maintain automated daily backups of the database with Point-in-Time Recovery (PITR) enabled, ensuring that even in the event of catastrophic failure, your operational history can be restored swiftly.

Have security questions?

If your IT or security team has further questions about our architecture, we are happy to help. Contact us at hello@vndly.io.