← Back to Home

Security

How we protect your data and infrastructure

1. Overview

At VoltageGPU, security is a core priority. We implement industry-standard security measures to protect your data, workloads, and infrastructure. This page provides transparency about our security practices for CTOs, RSSIs, and security-conscious teams.

2. Data Encryption

2.1 Encryption in Transit

  • TLS 1.3: All communications are encrypted using TLS 1.3
  • HTTPS Only: All API endpoints and web interfaces require HTTPS
  • Certificate Management: Automated certificate renewal via Let's Encrypt

2.2 Encryption at Rest

  • Database: All database data is encrypted at rest using AES-256
  • Backups: Encrypted backups with separate key management
  • Secrets: Environment variables and API keys stored in encrypted vaults

2.3 Secret Management

  • API keys are hashed using bcrypt before storage
  • Secrets are never logged or exposed in error messages
  • Regular rotation of internal service credentials

3. Infrastructure Isolation

3.1 Compute Isolation

  • Container Isolation: Each GPU pod runs in an isolated container environment
  • Network Segmentation: Pods are isolated at the network level
  • Resource Limits: Strict CPU, memory, and GPU resource limits per pod

3.2 Tenant Separation

  • Logical Isolation: Complete data separation between customers
  • No Shared Storage: Each tenant has dedicated storage volumes
  • Namespace Isolation: Kubernetes namespaces for workload separation

4. Logging & Audit

4.1 What We Log

  • Authentication events (login, logout, failed attempts)
  • API requests (endpoint, timestamp, response code)
  • Resource provisioning and deprovisioning
  • Billing and payment events
  • Administrative actions

4.2 Log Retention

  • Security Logs: 12 months
  • Access Logs: 90 days
  • Audit Logs: 24 months

4.3 What We Don't Log

  • Passwords or authentication tokens
  • Full credit card numbers
  • Customer workload data or model outputs

5. Authentication & Access Control

5.1 User Authentication

  • Password Requirements: Minimum 8 characters, complexity enforced
  • Password Storage: bcrypt hashing with salt
  • Session Management: Secure, HTTP-only cookies with expiration
  • Email Verification: Required for account activation

5.2 API Authentication

  • API Keys: Unique per user, revocable at any time
  • Rate Limiting: Protection against brute force attacks
  • IP Allowlisting: Optional IP restrictions for API access

5.3 Internal Access

  • Principle of least privilege for all internal systems
  • Multi-factor authentication required for admin access
  • Regular access reviews and deprovisioning

6. Security Practices

6.1 Vulnerability Management

  • Dependency Scanning: Automated scanning of all dependencies
  • Security Updates: Critical patches applied within 24-48 hours
  • Regular Audits: Periodic security assessments

6.2 Secure Development

  • Code review required for all changes
  • Automated security testing in CI/CD pipeline
  • Input validation and output encoding
  • Protection against OWASP Top 10 vulnerabilities

6.3 Backup & Recovery

  • Database Backups: Daily automated backups
  • Retention: 30-day backup retention
  • Recovery Testing: Regular disaster recovery drills

7. Shared Responsibility Model

VoltageGPU Responsibilities

  • Platform security and infrastructure protection
  • Network security and DDoS protection
  • Physical security of data centers (via partners)
  • Security patching and updates
  • Access control and authentication systems
  • Encryption of data in transit and at rest

Customer Responsibilities

  • Securing your account credentials
  • Managing API key security and rotation
  • Security of your workloads and applications
  • Data classification and handling within your pods
  • Compliance with acceptable use policies
  • Reporting security concerns promptly

8. Incident Response

  • Detection: 24/7 monitoring and alerting
  • Response Time: Critical incidents addressed within 1 hour
  • Communication: Affected customers notified within 24 hours
  • Post-Incident: Root cause analysis and remediation

9. Compliance

  • GDPR: Full compliance with EU data protection regulations
  • PCI DSS: Payment processing via PCI-compliant providers (Stripe)
  • Data Residency: EU data processing available upon request

10. Security Contact

To report a security vulnerability or concern, please contact us at:

Security Email: security@voltagegpu.com
General Contact: contact@voltagegpu.com

We appreciate responsible disclosure and will acknowledge receipt within 24 hours.

11. Updates

This security page is reviewed and updated regularly to reflect our current practices.

Last Updated: January 2025