The boring parts done right.
EU residency, Firecracker isolation per preview, TLS 1.3 + AES-256, training-opt-out by default, full code ownership. The detail is below — written so a security questionnaire has answers without a phone call.
How VULK is built, in six pillars.
Data residency
Production database is PostgreSQL 16 hosted on AWS RDS in eu-central-1 (Frankfurt). Application servers are EU. Static assets are CDN-distributed. No customer record is moved outside the EU without an explicit DPA addendum.
- ▸Database: AWS RDS eu-central-1 (Frankfurt)
- ▸App servers: Hetzner FSN1 (Falkenstein, DE)
- ▸CDN: Cloudflare global edge (HTTPS only)
Generation isolation
Every live preview runs in a dedicated Firecracker microVM with its own kernel, rootfs and network namespace. One project cannot read or affect another's process tree, filesystem or network. VMs are torn down after the session — no shared persistent state.
- ▸Per-preview Firecracker microVM
- ▸Network namespace + iptables egress filter
- ▸Ephemeral rootfs, destroyed on session end
Encryption
TLS 1.3 in transit everywhere. AES-256 at rest on RDS and on R2 / S3 storage. Customer secrets in keychain (env vars on the application side, never logged, never returned in API responses). Webhook payloads HMAC-signed.
- ▸TLS 1.3 (HTTPS only)
- ▸AES-256 at rest (RDS, R2, S3)
- ▸Secrets never logged or echoed
AI provider policy
We route through OpenRouter to Anthropic, Google, OpenAI and others. Default routing is to providers configured for zero training. On Pro and above, we additionally pin generation to no-training endpoints and turn off cross-session caching.
- ▸Zero-retention by default on routed models
- ▸No-training pin available on Pro+
- ▸BYOK (bring your own key) on Business tier
Authentication
User authentication uses NextAuth with PKCE. Stripe customer linking is server-side only. Optional MFA, SSO via SAML / OIDC on Business plan, with audit log delivery to your SIEM.
- ▸NextAuth (PKCE, secure-only cookies)
- ▸Optional MFA via TOTP
- ▸SAML / OIDC SSO on Business tier
Code ownership
Every project is your code. Export to GitHub or as a zip; run it on your infra; cancel us tomorrow and the apps you built keep running. We don't hold a license over your output, and we don't gate runtime behind a SaaS subscription.
- ▸Full repo export (GitHub or zip)
- ▸No proprietary runtime
- ▸MIT-licensable on your terms
How we handle compliance.
What we do today — straight, no certifications we don't hold.
- GDPRAlignedVULK is the data controller. DPA available on request. Sub-processors disclosed and notified on change.
- Data Processing AgreementAvailableSent free for Pro and Business plans. Enterprise terms reviewed within 5 business days.
- PCI-DSSN/A — Stripe handles cardsCard data never touches VULK servers. Stripe Checkout / Elements handles all PCI scope.
Who else touches your data.
We are required to disclose every external service that may process your data. Notification on change is part of the DPA.
| Service | Purpose | Region |
|---|---|---|
| AWS (RDS, S3) | Database + storage | eu-central-1 (Frankfurt) |
| Hetzner Online | Application + preview hosting | Falkenstein, Germany |
| Cloudflare | CDN, DNS, R2 storage, deploy | Global edge |
| Stripe | Billing + payment processing | EU + US (PCI-compliant) |
| Resend | Transactional email | EU |
| OpenRouter | AI model routing | Global (zero-retention provider routing) |
| Sentry | Error monitoring | EU |
Found a vulnerability? Tell us first.
We welcome responsible disclosure. Email security@vulk.dev with reproduction steps, expected vs. observed behaviour, and any CVSS-style severity assessment. We will acknowledge within 24 hours and triage within 72. We do not require an NDA to talk to a researcher.
Bounty payouts are reviewed case-by-case based on impact. Public credit (or anonymous, your choice) is offered in the changelog.
Last reviewed: April 30, 2026