Security

Hosting

VSync runs on AWS in us-east-1, behind a managed Postgres database (Supabase) and Vercel’s edge network. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Access

Each event has roles — venue, planner, vendor. Vendors only see what they need to see for the events they have been invited to. Row-level security is enforced at the database tier, not only at the API tier — it is designed to keep one customer’s data from being exposed to another.

Audit trail

Every change to a run-of-show, a vendor brief, or a floor plan is stamped with the user, the timestamp, and the previous value. We keep audit history for the lifetime of the event and 90 days beyond.

Compliance

VSync is a United States–based service. We align our privacy practices with applicable US state privacy laws, including the CCPA for California residents. We do not sell customer data.

Vulnerability disclosure

Found something? Email contact@vsync.events. We respond within one business day, and we do not take legal action against good-faith researchers.

Sub-processors

AWS (hosting, storage), Supabase (database, auth), Vercel (hosting, edge), Stripe (payments), Resend (transactional email), OpenAI (AI document processing), Google Cloud (OAuth identity provider, where used). The current list is published at vsync.events/legal/sub-processors.