Skip to content
MachiOnCoffee
Vectora
FAQ
Security FAQ

Security FAQ

PT | EN

Frequently asked questions about security, data protection, encryption, compliance, and best practices.

Data & Privacy

Q: Are my data secure with Vectora? A: Yes. BYOK (Bring Your Own Key), AES-256-GCM encryption, TLS 1.3, Guardian blocklist, RBAC, and audit logging are all in place.

Q: Does Vectora see my code? A: No. Indexed code stays in your MongoDB Atlas. Embeddings only pass through APIs you control (Voyage). Vectora never accesses the raw code.

Q: How do you use my data? A: we don’t. Data is isolated by namespace and user. No analytics, no model training.

Q: How does .env blocking work? A: Guardian blocks files by default BEFORE reading:

  • .env* (environment)
  • *secret*, *credential* (secrets)
  • *.key, *.pem, *.pfx (keys)
  • package-lock.json, Gemfile.lock (locks) Guardian is compiled at runtime and cannot be bypassed.

Q: How do I delete sensitive data? A: Delete the file and re-index: vectora index --incremental. Chunks are immediately removed from searches and backups.

Access & Authentication

Q: Can I use SSO/LDAP? A: Yes, on the Team+ plan. Supports: Azure AD, Okta, Google Workspace, and custom OIDC.

Q: How do I reset my password? A: vectora user reset-password --email user@company.com. A link will be sent by email, valid for 1 hour.

Q: Is it safe to use a token in CI/CD? A: Yes. Tokens are JWT, expirable (30 days by default), with granular scopes (read-only, search-only, etc.).

Q: Is there 2FA? A: Yes, enabled by default. Supports TOTP (Authy, Google Authenticator, Microsoft Authenticator).

Q: How do I revoke access? A: Admins can run vectora user revoke --email user@company.com --token-id token_123. The effect is immediate.

Compliance & Certifications

Q: Are you GDPR compliant? A: Yes. We support: right to be forgotten, portability, and export. vectora export --namespace your-ns --format gdpr

Q: Do you have SOC 2? A: In progress for 2026. We currently support manual audits.

Q: Is it HIPAA compliant? A: Yes for data handling (AES-256, TLS, audit). Requires a BAA agreement (available on the Team plan).

Q: Can I use it in government/defense? A: Yes. The Enterprise plan includes on-premise, air-gapped, and custom SLA options.

Audit & Logs

Q: How do I audit access? A: vectora audit --since 7d

Log example:

{
  "timestamp": "2026-04-19T10:30:00Z",
  "action": "search",
  "user": "bruno@company.com",
  "query": "authentication",
  "namespace": "your-project",
  "result": "success",
  "ip": "192.168.1.1"
}

Q: How long are logs retained? A: Free: 30 days. Pro: 90 days. Team: 180 days. Enterprise: customized.

Q: Are logs immutable? A: Yes. They are stored in an append-only log with a hash chain (cannot be altered).

Q: Can I audit a specific user’s activity? A: Yes. vectora user activity --email user@company.com --since 7d.

Encryption & Keys

Q: Is there encryption? A: Yes, dual layer:

  • At Rest: AES-256-GCM (FIPS 140-2 compliant).
  • In Transit: TLS 1.3 (mandatory).

Q: Who has the key? A: You do. BYOK means your keys are:

  • Generated by you in Google AI Studio / Voyage AI.
  • Stored locally in ~/.vectora/config.
  • Used only for your API calls.
  • Never saved on Vectora’s servers.

Q: Is there key rotation? A: Yes. You control it: vectora config rotate-key GEMINI_API_KEY. A new key is used, and the old one is discarded.

Best Practices

Q: Is there rate limiting? A: Yes.

  • Free: 60 req/min (API).
  • Pro: 2000 req/min.
  • Team: Custom.
  • Brute-force protection: 5 failures = 15min block.

Q: Can I use it in production? A: Yes.

  • Free: Zero SLA.
  • Pro: 99.9% SLA (8.7h downtime/year).
  • Team: 99.99% SLA (52min downtime/year).
  • Enterprise: Custom SLA up to 99.999%.

Q: How do you handle brute-force attacks? A: Automatically. After 5 failed password attempts, the IP is blocked for 15 minutes.

Q: Is there security testing? A: Yes.

  • Penetration testing: Annual (included in SOC 2).
  • Code scanning: Automated on every merge.
  • Dependency scanning: OWASP, npm audit.
  • Secret scanning: GitHub secret scanning active.

Q: How do I report a vulnerability? A: Through GitHub Security Advisory. Response in < 24h, coordinated disclosure.

More questions? GitHub Security or Email.

Part of the Vectora ecosystem · Open Source (MIT) · Contributors

General