The boring parts done right.
EU data residency at rest, Firecracker isolation per preview, TLS 1.3 + AES-256, provider controls where available, training-data opt-out on Max and Business, full code ownership. The detail is below — written so a security questionnaire has answers without a phone call.
How VULK is built, in six pillars.
Data residency
Production database is PostgreSQL 16 hosted on AWS RDS in eu-central-1 (Frankfurt). Application servers are EU. Static assets are CDN-distributed. No customer record is moved outside the EU without an explicit DPA addendum.
- ▸Database: AWS RDS eu-central-1 (Frankfurt)
- ▸App servers: AWS Frankfurt (eu-central-1)
- ▸CDN: Cloudflare global edge (HTTPS only)
Generation isolation
Every live preview runs in a dedicated Firecracker microVM with its own kernel, rootfs and network namespace. One project cannot read or affect another's process tree, filesystem or network. VMs are torn down after the session — no shared persistent state.
- ▸Per-preview Firecracker microVM
- ▸Network namespace + iptables egress filter
- ▸Ephemeral rootfs, destroyed on session end
Encryption
TLS 1.3 in transit everywhere. AES-256 at rest on RDS and on R2 / S3 storage. Customer secrets in keychain (env vars on the application side, never logged, never returned in API responses). Webhook payloads HMAC-signed.
- ▸TLS 1.3 (HTTPS only)
- ▸AES-256 at rest (RDS, R2, S3)
- ▸Secrets never logged or echoed
AI provider policy
We route through OpenRouter to Anthropic, Google, OpenAI and others. We prefer provider routes with no-training or zero-retention controls where available. VULK training-data opt-out is included on Max and Business; BYOM customers can enforce provider policy directly with their own keys.
- ▸Provider retention controls used where available
- ▸Training-data opt-out on Max and Business
- ▸BYOM on Pro, Team, Max and Business
Authentication
User authentication uses NextAuth with PKCE. Stripe customer linking is server-side only. Optional MFA, SSO via SAML / OIDC on Business plan, with audit log delivery to your SIEM.
- ▸NextAuth (PKCE, secure-only cookies)
- ▸Optional MFA via TOTP
- ▸SAML / OIDC SSO on Business tier
Code ownership
Every project is your code. Export to GitHub or as a zip; run it on your infra; cancel us tomorrow and the apps you built keep running. We don't hold a license over your output, and we don't gate runtime behind a SaaS subscription.
- ▸Full repo export (GitHub or zip)
- ▸No proprietary runtime
- ▸MIT-licensable on your terms
How we handle compliance.
What we do today — straight, no certifications we don't hold.
- GDPRAlignedVULK is the data controller. DPA available on request. Sub-processors disclosed and notified on change.
- Data Processing AgreementAvailableSent free for Pro and Business plans. Enterprise terms reviewed within 5 business days.
- PCI-DSSN/A — Stripe handles cardsCard data never touches VULK servers. Stripe Checkout / Elements handles all PCI scope.
Who else touches your data.
We are required to disclose every external service that may process your data. Notification on change is part of the DPA.
| Service | Purpose | Region |
|---|---|---|
| AWS (RDS, S3) | Database + storage | eu-central-1 (Frankfurt) |
| Cloudflare | CDN, DNS, R2 storage, deploy | Global edge |
| Stripe | Billing + payment processing | EU + US (PCI-compliant) |
| Resend | Transactional email | EU |
| OpenRouter | AI model routing | Global (zero-retention provider routing) |
| Sentry | Error monitoring | EU |
Found a vulnerability? Tell us first.
We welcome responsible disclosure. Email security@vulk.dev with reproduction steps, expected vs. observed behaviour, and any CVSS-style severity assessment. We will acknowledge within 24 hours and triage within 72. We do not require an NDA to talk to a researcher.
Bounty payouts are reviewed case-by-case based on impact. Public credit (or anonymous, your choice) is offered in the changelog.
Last reviewed: April 30, 2026