Procurement & security review

Veripsa — Security questionnaire response (template)

Vendor: GetVeripsa (operates Veripsa Core and the Veripsa platform) · Last updated: · Source of record: veripsa.com/trust

Most procurement teams ask the same ~30 questions. This is our written answer in questionnaire form. Print to PDF (⌘P / Ctrl+PSave as PDF) and attach to your vendor file. Every answer links back to a source-of-truth page on veripsa.com so your reviewer can audit independently rather than take this packet at face value.

1. Data classification

What classes of customer data does the vendor store?

Veripsa Core is content-free by design. To warn about cross-pull-request collisions before merge, file contents are read transiently in memory to produce operational metadata, then discarded. Only the minimal content-free service metadata below is retained.

What we do store

What we do not store

Source: /trust § 1 · policy form: /privacy.

2. Data residency

Where is customer data stored?

Source: /legal/subprocessors.

3. Data retention

How long is customer data retained?

ObjectRetention
Working set (in-flight reservations and content-free caches) Kept while active. Inactive repo working-set/cache rows may be pruned after a period of inactivity, normally 30 days. The working set is rebuilt on the next default-branch push or pull request; co-change history is repopulated asynchronously. Purged on uninstall and on account deletion via the enumerated erase/purge gate.
Operational telemetry (push and landing events) Retained for 30 days, then pruned.
Advisory history (append-only) Kept as an append-only content-free record until account erasure; not used as a live working set.
Webhook delivery audit Terminal (completed or failed) entries are pruned after 30 days by the nightly retention sweep; the delivery payload is cleared as soon as an entry completes. Also covered by the same account-deletion erase/purge gate.
Account-lifecycle events Append-only operational record; deleted on account deletion via the enumerated erase/purge gate.
Sign-in session cookie Signed JWT in the browser carrying only the opaque GitHub user ID; cleared on sign-out. No parallel server-side session record.

Source: /trust § 2.

4. Subprocessors

Who else processes customer data?

VendorPurposeRegion
GitHub GitHub App platform; OAuth sign-in (opaque user ID) Global (GitHub)
Managed cloud hosting Compute and managed database hosting for Core and the platform US

No third-party analytics or advertising SDKs are wired into the platform. Material changes to the subprocessor list are reflected on the Subprocessors page with a new Last updated date; we aim for at least 30 days notice before a material change takes effect (a DPA covering this is available on request).

Source: /legal/subprocessors.

5. Encryption — at rest and in transit

How is customer data protected on the wire and in storage?

Source: /security, /trust § 3.

6. Authentication & access control

How do users sign in? What identity does the vendor store?

Source: /trust §§ 3, 8; /security.

7. Incident response

What is the incident-response process? Where are post-mortems?

Suspected security issues go to support@veripsa.com. The reporter-facing flow — what to include, our coordinated-disclosure window, and our safe-harbor stance — is on /security/disclosure.

Example incident note on record: 2026-06-25 schema-drift — what happened, the affected scope, and the follow-up controls.

Source: /incidents, /security/disclosure.

8. Service-level agreement (SLA)

What uptime do you commit to contractually?

We are honest about where we are. Today, Veripsa does not offer a contractual uptime SLA on the default plans. Production runs on managed infrastructure with health-gated rollouts and managed database backups; we operate it on a best-effort basis and aim for high availability of the dashboard and the GitHub App check runs.

A live health probe of the Core App is published at /status — it runs a server-side service-health check on every request and reports the outcome honestly (it does not claim a contractual uptime SLA). Public operational metrics are at /metrics.

For an Enterprise plan with a contractual SLA and a dedicated escalation path, email support@veripsa.com.

Source: /trust § 5.

9. Compliance posture

What certifications and attestations does the vendor hold?

Current status: today, Veripsa does not hold the following — and will not claim them until they are real:

What we do offer today

If your organization needs one of the certifications above to adopt Veripsa, email support@veripsa.com so we can scope it together.

Source: /trust § 9.

10. Right to erasure

How does a customer have their data deleted?

Source: /trust § 2; /privacy.