Global Vextra AIGlobal Vextra AI
Sign inGet started
SECURITY & TRUST

How we protect your data

How we protect your videos, your account, and your data.

Last updated · June 1, 2026

Overview

Global Vextra AI is built on a foundation of industry-leading security practices and infrastructure providers. We take a transparent, layered approach to protecting customer data — from the moment a video upload begins to the way clips are stored, accessed, and eventually deleted.

This page describes the security measures we have in place today. We're a growing company, and our security program is growing with us. As we mature, we'll add formal certifications and audits. We commit to keeping this page honest and up-to-date as that happens — no aspirational claims, only what we actually do.

Data and infrastructure

Where your data lives

Your data is hosted on enterprise-grade cloud infrastructure with multiple certifications. We don't run physical servers ourselves; we leverage providers whose security teams are larger than most companies.

Cloudflare R2

Object storage for source video uploads.

Cloudflare Stream

Encoding and delivery of generated clips.

MongoDB Atlas

Managed cloud database for application records.

Vercel

Hosting and edge delivery for the web application.

Google Cloud Run

Containerized, ephemeral video processing.

Google Gemini

AI analysis of uploaded video to identify highlight clips.

AssemblyAI

Speech-to-text transcription for caption generation.

Firebase Auth

Identity, password storage, and session tokens.

Each of these providers maintains formal security certifications including SOC 2 Type II, ISO 27001, and GDPR compliance. We leverage their certified infrastructure, but we do not claim their certifications as our own. Our own SOC 2 audit is planned but not yet completed.

Encryption

  • Data in transit: All communication between your browser and our services uses HTTPS with TLS 1.3.
  • Data at rest: Source videos, clips, and database records are encrypted at rest by our infrastructure providers using AES-256 encryption.
  • Backups: Our database provider performs continuous backups with point-in-time recovery.

Network isolation

Backend services communicate over private, authenticated channels. Our video processing service accepts requests only from our application's verified origin. Direct database access is restricted to our application servers.

Authentication and access

How accounts work

Authentication is handled by Firebase Auth, Google's managed identity platform. We don't store passwords ourselves — Firebase manages secure password hashing (using bcrypt-equivalent algorithms with per-user salts) and protects against common attacks including credential stuffing and brute force.

Session management

Sessions are managed through Firebase ID tokens, signed by Google's cryptographic infrastructure. Tokens are short-lived and automatically refreshed. Sensitive actions require a recent sign-in, and we can revoke active sessions immediately — which we do automatically when an account is deleted.

Admin access

Administrative access to production systems is restricted to authorized personnel only, and admin capabilities are gated by role-based authorization enforced on every request.

Account deletion

Users can delete their account at any time from the Settings page. Access is revoked immediately, and all associated data — videos, clips, transcripts, and account records — is permanently removed from our active systems within 24 hours by an automated daily process. Encrypted backups may retain data for a limited additional period per our providers' retention policies.

Application security

Code review

We use a feature-branch workflow and review changes before merging them to the main branch.

Dependency monitoring

We use GitHub's Dependabot to continuously monitor our dependencies for known vulnerabilities. Security-relevant updates are reviewed and applied promptly, typically within days of disclosure.

Static analysis

Our codebase is checked with TypeScript's strict type system and ESLint security rules. These catch entire categories of bugs (null dereferences, unsafe access patterns, prototype pollution) before code ships.

Abuse protection

Our APIs are rate-limited to protect against abuse and automated attacks. State-changing requests are verified against our own origin, and callbacks from our processing providers are authenticated before they're accepted.

Secrets management

API keys, database credentials, and other secrets are stored in encrypted environment variables, never committed to source control. We rotate credentials following security best practices and immediately after any suspected exposure.

Data handling and privacy

What we collect

  • Account information: Email, name, profile picture (if provided).
  • Usage data: Videos uploaded, clips generated, storage consumed.
  • Technical data: IP address, browser type, request timestamps (for security and abuse prevention).

What we don't do

  • We do not sell your data to third parties.
  • We do not use your videos to train our own AI models.
  • We do not share your content with advertisers.

How long we keep it

  • Active account data: Retained while your account is active.
  • Deleted account data: Permanently removed from active systems within 24 hours of the deletion request.
  • Backups: As described in the infrastructure section.

Your rights

You can request a copy of your data, correct inaccurate information, or delete your account at any time. Email support@globalvextraai.com for data-related requests.

Vulnerability disclosure

Found a security issue?

If you discover a vulnerability in Global Vextra AI, we want to hear about it. We have a published vulnerability disclosure policy that explains how to report issues responsibly.

Read our Security Policy on GitHub

We respond to security reports within 48 hours and commit to providing regular updates throughout the resolution process. Researchers who follow our policy are protected by a safe harbor clause.

For non-technical security concerns or questions about our practices, email support@globalvextraai.com.

Compliance roadmap

What we have today

  • Layered security through certified infrastructure providers.
  • Encrypted data in transit (TLS 1.3) and at rest (AES-256).
  • Dependency vulnerability monitoring with automated alerts.
  • Rate limiting and request authentication across our APIs.
  • Published vulnerability disclosure policy with safe harbor.
  • Static analysis and type checking on every change, with a feature-branch review workflow.

What we're working toward

We're committed to evolving our security program as we grow. Planned investments include formal third-party audits, expanded penetration testing, and additional certifications relevant to our customer base. We don't list certifications we haven't earned — when we complete an audit, we'll add it here with a verification link.

Have a specific compliance requirement?

If your organization requires specific certifications or attestations to evaluate Global Vextra AI, email support@globalvextraai.com and we'll discuss what's possible.

Questions about our security practices?

Email: support@globalvextraai.com

Vulnerability reports: see our Security Policy on GitHub.

Last updated · June 1, 2026