Security overview
Unlimit Lab Limited · Vennari · Company No. 16925967
Vennari handles sensitive professional data — conversations, contacts, and biometrics. Unlimit Lab Limited treats security as a core product requirement, not a checkbox.
End-to-end encryption in transit
TLS 1.3 minimum on all connections. HSTS preloaded on all Vennari domains. Certificate pinning on iOS and Android. No plaintext data ever leaves your device.
Encryption at rest
AES-256 on all RDS PostgreSQL data and S3 objects. Face embeddings use column-level pgcrypto encryption with a separate AWS KMS key and an isolated IAM role that no other service assumes.
Asymmetric JWT (RS256)
All API tokens use RS256. The 4096-bit RSA private key lives exclusively in AWS Secrets Manager. Access tokens expire in 60 minutes; refresh tokens rotate on every use and are invalidated on logout.
WAF + rate limiting + DDoS
AWS WAF with managed rule groups (OWASP Top 10) in front of all API endpoints. Per-user rate limits enforced in Redis. AWS Shield Standard provides DDoS mitigation at the CloudFront edge.
Face Vault isolation
The face_vault module is architecturally isolated: separate DB table with column-level encryption, separate Redis keyspace, dedicated KMS key. No other SQLAlchemy model, route, or worker can import from it.
SAST + dependency scanning
Bandit (Python), SwiftLint security rules, and Detekt run on every pull request in CI. GitHub Dependabot auto-patches known CVEs. Secrets scanning blocks commits containing credentials.
Biometric authentication
Face ID / Touch ID (iOS) and BiometricPrompt (Android) gate Face Vault access and optionally the full app. JWT tokens are stored in the iOS Keychain and the Android Keystore.
SOC 2 Type II (roadmap)
Unlimit Lab Limited targets SOC 2 Type II certification within 12 months of GA launch. An independent penetration test is commissioned before launch and annually thereafter.
Found a vulnerability?
We operate a responsible disclosure programme. Email security@vennari.ai with full details.
Unlimit Lab Limited acknowledges within 24 hours and patches critical issues within 72 hours. We do not pursue legal action against good-faith researchers.