Security

Built for the trust requirements
of enterprise advertising.

VideoEV handles vehicle session data, bid-level signals, and advertiser budgets. This page documents our security controls, disclosure policy, and the questions your security team will ask.

TLS 1.3AES-256 at restMFA enforcedNo PII in bid streamSOC 2 Type II in progress

Security controls

What we do to protect your data.

Encryption

  • TLS 1.3 enforced for all data in transit, no fallback to older protocols
  • AES-256 encryption for all data at rest across AWS infrastructure
  • EVCCID resolution performed in isolated compute with encrypted output only, raw identifiers never leave the resolution layer
  • Database encryption with AWS KMS-managed keys

Access Control

  • Multi-factor authentication required for all production system access
  • Role-based access control (RBAC), least-privilege by default
  • SSH access via short-lived certificates only (no persistent keys)
  • All admin actions logged to immutable audit trail
  • Quarterly access reviews, terminated employee access revoked same day

Infrastructure

  • Hosted on AWS (us-east-1), SOC 2 Type II, ISO 27001 certified infrastructure
  • Private VPC with no public database endpoints
  • Web Application Firewall (WAF) on all public endpoints
  • DDoS mitigation via AWS Shield
  • Automated vulnerability scanning on every deployment

Data Minimisation

  • No name, email, phone, payment data, or government ID collected from EV drivers
  • EVCCID (hardware identifier) processed only in memory during session resolution, not logged
  • Bid requests contain vehicle tier and session signals only, no device IDs or cookies
  • Session records anonymised to tier + MSRP band after 90 days

Application Security

  • Dependency scanning on every pull request (npm audit, Dependabot)
  • No secrets committed to version control, environment variables via AWS Secrets Manager
  • Content Security Policy (CSP) headers on all web properties
  • Annual third-party penetration test (next scheduled: Q4 2026)

Incident Response

  • Written incident response plan with defined severity levels and escalation paths
  • Breach notification within 72 hours for GDPR-covered data
  • Postmortems published internally for all P1/P2 incidents
  • Security contact: security@videoev.com, monitored 24/7

Compliance status

Where we stand today.

IAB ads.txtLive

Authorised sellers declared at videoev.com/ads.txt

IAB sellers.jsonLive

Publisher record available at videoev.com/sellers.json

GDPRAligned

Designed for GDPR alignment. Privacy policy, data-subject rights process, and DPA available on request. Counsel review pending.

CCPA / CPRAAligned

Designed for CCPA / CPRA alignment. No sale of personal data, opt-out process documented. Counsel review pending.

security.txtLive

RFC 9116 disclosure file at /.well-known/security.txt

SOC 2 Type IIIn progress

Controls implemented, audit engagement planned for H2 2026

TAG Brand SafetyPlanned

Registration and self-attestation planned Q3 2026

CSA STAR Level 1Planned

Free self-assessment in progress via Cloud Security Alliance

Vulnerability disclosure

Found a vulnerability? Tell us.

VideoEV operates a responsible disclosure programme. If you believe you've found a security issue, we want to hear from you before it becomes a problem for our partners or their customers.

Our commitments to researchers

  • We will acknowledge your report within 2 business days
  • We will keep you updated on our progress toward a fix
  • We will not pursue legal action against researchers acting in good faith
  • We will credit you in our acknowledgments (if you wish)
  • We aim to resolve critical issues within 7 days, high within 30 days

Report a vulnerability

Email us at security@videoev.com with a description of the issue, steps to reproduce, and impact assessment. Use PGP encryption for sensitive findings, key available on request.

Scope: videoev.com, data.videoev.com, demo.videoev.com, and all VideoEV-operated APIs. Out of scope: social engineering, physical attacks, and third-party infrastructure not operated by VideoEV.

Acknowledgments

Security researchers who helped us.

No vulnerabilities reported yet. Be the first, responsible disclosure credited here.

Enterprise security review?

We can complete your vendor security questionnaire, provide our CAIQ self-assessment, or arrange a call with our engineering team. Contact us and we'll respond within one business day.

Start a security review

Platform Status

Where VideoEV is today.

VideoEV is in active pilot, not a fully productionized network. This strip is the single source of truth for the platform’s operational posture. If a page elsewhere reads as more productionized than this, trust this strip.

Product
Active pilot
Pilot campaigns running on OCPP-compatible hardware. Aggregate pilot benchmarks publish on /how-it-works#methodology once volume supports a stable figure.
Inventory posture
Walled garden
VideoEV is currently a closed inventory network. Demand runs through the VideoEV self-serve console and direct IO with our media team. External DSP integrations (Amazon DSP, The Trade Desk, Vistar) are target paths on the roadmap, not live production integrations.
CSMS integrations
OCPP-compatible
VideoEV reads OCPP 2.0.1 natively. Driivz, AMPECO, ChargeLab, and EV Connect are the target CSMS platforms for the read-only integration. Live event streams are not yet in production; no commercial partnerships are contracted.
Public API
v1 preview (early access)
The API surface on /developers is the target contract for v1. Sandbox URLs and credentials are issued to approved partners during onboarding, not publicly published. Production scale-out is gated by SOC 2 Type II.
Attribution
Pixel today · AMC-ready
Default measurement today is pixel-based. VideoEV exports hashed exposures in AMC's advertiser-uploaded-data schema; clean-room match runs inside the advertiser's own AMC instance once connected. VideoEV does not operate the clean room, and direct VideoEV ↔ AMC live plumbing is not in production.
SOC 2 Type II
In progress
Controls implemented, audit engagement planned for H2 2026. GDPR and CCPA / CPRA posture is designed-for alignment; counsel review pending.