Skip to content
Curated by hand · Shipped from our ateliers across India

Trust Center

Security & Compliance

This page is maintained by House of Vanya™ by Alice for security-conscious customers and procurement teams. The counters update live; everything below is aggregate-only and contains no usernames, IPs, or policy detail.

What’s running here

Application version

From package.json at deploy time.

Build SHA

The Git commit currently serving traffic.

Last deploy

UTC, captured by the Worker build pipeline.

Loading live posture…

What we monitor

Rolling 24-hour totals from our detection pipeline. A non-zero counter is healthy — it confirms the alert dispatcher (Batch 5 / D2) is firing. No row-level data is exposed.

Security events (24h)

Unauthorized / forbidden / rate-burst / RLS-violation / alert-dispatched signals.

Audit log entries (24h)

Admin actions and refund attempts written to the append-only ledger.

Last quarterly trust review:

What we protect

We don't store your card

Card and UPI details go straight to Stripe and Razorpay. We only see the order amount and the tokenised payment ID.

Encrypted LLM key vault

Third-party AI keys live in an AES-256-GCM vault. Decryption requires a WebAuthn passkey from a registered admin device.

Append-only audit logs

Every admin action and refund attempt writes to an append-only table protected by triggers — rows cannot be edited or deleted.

Two-person admin revocation

Revoking another admin's access requires a second active admin to co-sign within the in-app panic-button workflow.

Quarterly access + dependency reviews

Access lists are reviewed every quarter; Renovate proposes weekly updates and security advisories auto-merge after CI.

Latest engineering highlights

Content Security Policy + HSTS (Batch 1 / F4)

CSP with frame-ancestors 'none', upgrade-insecure-requests, and a /api/public/csp-report sink. HSTS, COOP, CORP, Referrer-Policy, Permissions-Policy and X-Content-Type-Options applied at the Worker edge.

Secrets out of source (Batch 1 / F2)

Prebuild guard fails the deploy if any tracked file contains a service-role key, vault key, payment secret, or HMAC secret. Only the publishable anon key remains in the auto-managed .env.

Live security alert dispatcher (Batch 5 / D1–D3)

security_events stream into a Postgres-deduped dispatcher; HMAC-signed webhooks fan out to Slack and email subscribers every 60 s, with exponential backoff and an in-app /admin/security-events console.

Two-person admin revocation + panic button (Batch 6 / O1)

Admin offboarding requires a second admin to co-sign. The panic button revokes all elevated sessions, freezes vault unlocks, and writes a tamper-evident audit row.

Quarterly access reviews (Batch 6 / O3)

Monthly pg_cron produces a SOC-2 / DPDP access-review report; ferdi + alice sign off the active admin list and CSV exports are retained under docs/security/access-reviews/.

Supply chain pinned (Batch 8 / S1–S4)

Renovate on a Monday cron, SECURITY.md with 72h/14d SLAs, scripts/check-deps.mjs rejects off-registry resolutions and reserved private scopes, GitHub Actions pinned to 40-char SHAs.

Server- and client-side test suite (Batch 7 / T1–T3)

Vitest covers vault crypto, coupon math, refund eligibility, webhook HMAC, admin guards, auth middleware, and fast-check fuzz on 9 input validators. CI runs lint + test + build on every PR.

Vault & WebAuthn

AES-256-GCM at-rest encryption for LLM keys; WebAuthn passkey gate on /admin; deny-all RLS on app_settings and admin_secrets; expired challenges purged hourly by pg_cron.

Certification bundle — v4

Released 2026-06-30 · 178 KB. Tamper-evident — verify the outer archive against the SHA-256 below, then verify per-file hashes with the bundled SHA256SUMS.txt.

SHA-256: da791ec5cdb672cf1b5201507a2c2471c2e49da7ddb1285d3cd359a9d902d196
Capabilities dossier (MD + PDF)
Security audit batches 1–9
Full QA report (132 routes)
Control matrix
Release notes (Waves 20 → 26)
Brand system
10 Mermaid diagrams
CycloneDX 1.5 SBOM (81 components)
SHA256SUMS.txt — per-file integrity

Prior release: v3 retained for audit continuity.

Disclosures

Report a vulnerability

Email security@houseofvanya.com. We acknowledge within 72 hours and triage within 14 days. Please do not file a public GitHub issue; full disclosure policy is in SECURITY.md.

M
Mika
Personal Stylist

Hello — I'm Mika, your stylist at House of Vanya™. Take my 30-second style quiz and I'll pull three pieces for you.