We don't ask you to take our word for it.
Vinny handles sensitive resident, leasing, and operational data every day. Security, privacy, and responsibility are built in — audited, certified, and verified by independent third parties.
Need-to-know
Access is granted on a need-to-know basis, using the principle of least privilege.
Defense-in-depth
Security controls are layered so that no single failure compromises the system.
Applied consistently
Controls are enforced uniformly across the enterprise.
Continuously improved
Controls are refined to be more effective over time.
Data at rest
All datastores containing customer data are encrypted at rest. For our most sensitive data, field-level encryption is applied before it reaches the database — neither physical nor logical database access is enough to read it.
Data in transit
All data in transit is protected using TLS 1.2 or higher, with HSTS enforced to prevent protocol downgrade attacks. TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Secret management
Encryption keys are managed via AWS Key Management Service (KMS), which stores key material in Hardware Security Modules (HSMs). This means no individual, including Amazon or Vinny employees can access key material directly; encryption and decryption happens exclusively through KMS APIs. Application secrets are encrypted at rest via AWS Secrets Manager and Parameter Store, with access strictly limited.
Annual external pen tests with Aikido. Daily internal tests in between.
Vinny conducts annual penetration testing with Aikido, a leading firm specialising in GraphQL security. All product and infrastructure components are in scope, with full source code access provided to maximise coverage.
Vulnerability scanning
6 LAYERS · ALWAYS ONEndpoint protection
All corporate devices are centrally managed with MDM and anti-malware. Disk encryption, screen lock, and automatic updates are enforced. Endpoint security alerts are monitored 24/7/365.
Secure remote access
Remote access to internal resources is secured via AWS VPN. Malware-blocking DNS servers provide additional protection for employees browsing the internet.
Security education
All employees complete security training at hire and annually. New engineers attend an additional session on secure coding. The security team shares regular threat briefings.
Identity & access
Phishing-resistant authentication is enforced — WebAuthn exclusively wherever possible. Access is granted by role and automatically deprovisioned upon termination.
Regulatory compliance
Vinny continuously evaluates updates to regulatory and emerging frameworks to evolve the program.
Privacy policy
How Vinny collects, uses, and safeguards personal data.
Data subject requests
Submit access, deletion, or portability requests through a single channel; responses within 30 days.
