Security and methodology
AI Vendor Packet is built for vendor review evidence with official source links. This page explains the current security posture and where human review remains required.
Last reviewed: May 21, 2026
- Control
- Private app routes
- Current posture
- Workspace, billing, admin, findings, and report pages require an authenticated session.
- Control
- Session handling
- Current posture
- Authenticated sessions use HTTP-only cookies and server-side access checks.
- Control
- Rate limits
- Current posture
- Scanner routes and public API endpoints have basic request limits to reduce abuse.
- Control
- Input boundaries
- Current posture
- Scanner parameters and review notes are normalized before use.
- Control
- Audit trail
- Current posture
- Finding review changes are recorded with previous and next status, applicability, actor, note, and time.
- Control
- Secret handling
- Current posture
- Server-only keys should not be exposed to browser code. Client-side files are checked for secret environment names.
| Control | Current posture |
|---|---|
| Private app routes | Workspace, billing, admin, findings, and report pages require an authenticated session. |
| Session handling | Authenticated sessions use HTTP-only cookies and server-side access checks. |
| Rate limits | Scanner routes and public API endpoints have basic request limits to reduce abuse. |
| Input boundaries | Scanner parameters and review notes are normalized before use. |
| Audit trail | Finding review changes are recorded with previous and next status, applicability, actor, note, and time. |
| Secret handling | Server-only keys should not be exposed to browser code. Client-side files are checked for secret environment names. |
Methodology
- Area
- Source selection
- How AI Vendor Packet handles it
- AI Vendor Packet starts with official vendor documentation or clearly identified primary sources.
- Area
- Change review
- How AI Vendor Packet handles it
- Findings separate source text, impact hypothesis, unknowns, and suggested review actions.
- Area
- Uncertainty
- How AI Vendor Packet handles it
- If applicability is unclear, the product should say so and route the item to human review.
- Area
- Product boundary
- How AI Vendor Packet handles it
- The product supports review packets with official source links and evidence organization. It does not provide legal opinions or compliance certification.
| Area | How AI Vendor Packet handles it |
|---|---|
| Source selection | AI Vendor Packet starts with official vendor documentation or clearly identified primary sources. |
| Change review | Findings separate source text, impact hypothesis, unknowns, and suggested review actions. |
| Uncertainty | If applicability is unclear, the product should say so and route the item to human review. |
| Product boundary | The product supports review packets with official source links and evidence organization. It does not provide legal opinions or compliance certification. |
Reference points
These public FTC resources inform the product security checklist. They do not replace a company-specific security program.
AI Vendor Packet organizes official-source review evidence and suggested review actions. It does not provide legal advice. Security controls should be reviewed before processing sensitive customer data.