Security & Disclosure

Demo sandbox posture

The public demo at demo.varypoint.com runs under the following defense-in-depth controls:

• All Go services run with no-new-privileges:true, read-only root filesystems, cap_drop: ALL, and explicit memory + CPU caps.
• Postgres and Redis run as non-root users with isolated data volumes; secrets are rotated monthly.
• The synthetic-data seeder service is on an internal Docker network only and is never reachable from the public internet.
• Sandbox JWTs expire in 1 hour and are scoped to a read-only sandbox_viewer role. The gateway middleware blocks all non-GET requests from sandbox tokens.
• Row-level security on every multi-tenant table enforces tenant isolation between the synthetic demo tenants.
• HTTPS-only with Let's Encrypt; HSTS enabled.
• No real PHI or PII in the sandbox — a pre-commit guard blocks any change that introduces real hospital/airline brand names or PII-pattern data.

Production-tier controls

Production customer deployments operate under the controls validated in our SOC 2 Type II observation period (started May 2026). The full report is available under NDA to evaluating customers.

Responsible disclosure

Found a security issue? Please report it to security@varypoint.com before public disclosure. We commit to:

• Acknowledging your report within 2 business days.
• Providing a triage assessment within 7 business days.
• Crediting you publicly (with your consent) once a fix is shipped.
• Not pursuing legal action against good-faith research within scope.

Scope

In scope: demo.varypoint.com and api.demo.varypoint.com. Out of scope: any third-party processor (PostHog, Slack, the hosting VPS provider), denial-of-service attacks, social engineering, and physical attacks.