Security

Security starts with a small, controlled surface.

CategoryVantage is early and deliberately bounded. The public site does not host a customer login, payment flow, upload portal, or private customer-data workspace. Security posture expands before the data surface expands.

HTTPS public site SPF and DKIM-aligned business mail Separate enterprise controls before private data

Current surface

Static public site and business email.

The current public footprint is intentionally simple: marketing pages, mailto-based contact paths, managed DNS, and a business mailbox. This keeps the exposed attack surface smaller while the product offer is shaped.

Access

Least-useful-access by default.

Access is limited to the people and services needed to operate the domain, site, mailbox, and demos. Credentials and admin access are not handled as shared working notes.

Data

Minimize before collecting.

The public site does not request sensitive customer data. Future private customer-data programs are handled through separate scope, purpose, access, retention, and review controls before collection.

Claims

No premature certification claims.

CategoryVantage does not claim SOC 2, ISO 27001, HIPAA, PCI, or formal penetration-test completion unless those controls are actually completed and available for review.

Operating controls

Security controls match the data risk.

Public site delivery Use HTTPS, managed DNS, minimal scripts, and a static asset surface where possible.

Email reliability Keep MX, SPF, DKIM, and mailbox monitoring in place before relying on the domain for commercial communication.

Internal artifacts Separate raw data, proof artifacts, truth layers, and customer-facing outputs so mistakes do not silently propagate.

Incident handling Security reports, suspected mailbox issues, DNS changes, and exposure concerns are routed for review.

Transport

Encrypted delivery by default.

The public site is served over HTTPS. Mail and DNS are configured through managed providers, with sender authentication records used to reduce spoofing and delivery risk.

Secrets

No credentials in public workflows.

Passwords, API keys, tokens, and admin credentials are not handled through demo requests, screenshots, email threads, or support notes. If a secret is exposed, it is treated as a rotation issue rather than normal debug context.

AI boundary

AI assistance is not a security bypass.

AI-generated summaries or classifications do not replace source evidence, access controls, customer approval, or policy review. Sensitive data is not routed into uncontrolled prompts or temporary files.

Customer data

Separate workspace before sensitive data.

The Proof-Gated Decision Layer works from public evidence first. Private customer datasets, account strategy, margin, inventory, and tenant data are handled through a scoped workspace with clear access, retention, audit, and vendor-review expectations before use.

Before enterprise data

The security bar rises before sensitive usage begins.

Formal scope

Define what data is processed, why it is needed, who can access it, where it is stored, and when it is deleted.

Vendor review

Enterprise customers may expect security questionnaires, DPA review, subprocessors, access controls, and evidence of operational safeguards.

Audit trail

Customer-impacting decisions are supported by source evidence, review state, timestamps, and controlled promotion paths.

Report a concern

Security reports are handled directly.

Send security concerns to [email protected]. Please include the affected URL or mailbox, observed behavior, timing, and a safe reproduction summary. Do not include secrets, private customer data, or destructive proof.