Security
Built for the trust requirements
of enterprise advertising.
VideoEV handles vehicle session data, bid-level signals, and advertiser budgets. This page documents our security controls, disclosure policy, and the questions your security team will ask.
Security controls
What we do to protect your data.
Encryption
- TLS 1.3 enforced for all data in transit — no fallback to older protocols
- AES-256 encryption for all data at rest across AWS infrastructure
- EVCCID resolution performed in isolated compute with encrypted output only — raw identifiers never leave the resolution layer
- Database encryption with AWS KMS-managed keys
Access Control
- Multi-factor authentication required for all production system access
- Role-based access control (RBAC) — least-privilege by default
- SSH access via short-lived certificates only (no persistent keys)
- All admin actions logged to immutable audit trail
- Quarterly access reviews — terminated employee access revoked same day
Infrastructure
- Hosted on AWS (us-east-1) — SOC 2 Type II, ISO 27001 certified infrastructure
- Private VPC with no public database endpoints
- Web Application Firewall (WAF) on all public endpoints
- DDoS mitigation via AWS Shield
- Automated vulnerability scanning on every deployment
Data Minimisation
- No name, email, phone, payment data, or government ID collected from EV drivers
- EVCCID (hardware identifier) processed only in memory during session resolution — not logged
- Bid requests contain vehicle tier and session signals only — no device IDs or cookies
- Session records anonymised to tier + MSRP band after 90 days
Application Security
- Dependency scanning on every pull request (npm audit, Dependabot)
- No secrets committed to version control — environment variables via AWS Secrets Manager
- Content Security Policy (CSP) headers on all web properties
- Annual third-party penetration test (next scheduled: Q4 2026)
Incident Response
- Written incident response plan with defined severity levels and escalation paths
- Breach notification within 72 hours for GDPR-covered data
- Postmortems published internally for all P1/P2 incidents
- Security contact: security@videoev.com — monitored 24/7
Compliance status
Where we stand today.
Authorised sellers declared at videoev.com/ads.txt
Publisher record available at videoev.com/sellers.json
Privacy policy, data subject rights process, DPA available on request
No sale of personal data, opt-out process documented
RFC 9116 disclosure file at /.well-known/security.txt
Controls implemented, audit engagement planned for H2 2026
Registration and self-attestation planned Q3 2026
Free self-assessment in progress via Cloud Security Alliance
Vulnerability disclosure
Found a vulnerability? Tell us.
VideoEV operates a responsible disclosure programme. If you believe you've found a security issue, we want to hear from you before it becomes a problem for our partners or their customers.
Our commitments to researchers
- We will acknowledge your report within 2 business days
- We will keep you updated on our progress toward a fix
- We will not pursue legal action against researchers acting in good faith
- We will credit you in our acknowledgments (if you wish)
- We aim to resolve critical issues within 7 days, high within 30 days
Report a vulnerability
Email us at security@videoev.com with a description of the issue, steps to reproduce, and impact assessment. Use PGP encryption for sensitive findings — key available on request.
Scope: videoev.com, data.videoev.com, demo.videoev.com, and all VideoEV-operated APIs. Out of scope: social engineering, physical attacks, and third-party infrastructure not operated by VideoEV.
Acknowledgments
Security researchers who helped us.
No vulnerabilities reported yet. Be the first — responsible disclosure credited here.
Enterprise security review?
We can complete your vendor security questionnaire, provide our CAIQ self-assessment, or arrange a call with our engineering team. Contact us and we'll respond within one business day.
Start a security review