Legal
Security at Vistra
How we protect your data and keep the platform accountable.
Last updated: June 2026
Security is built into how Vistra works. This page summarises the measures we take to protect your data. For how we handle personal information, see our Privacy Policy.
Access control
- Email-based authentication with JWT access and refresh tokens.
- Account lockout after repeated failed login attempts.
- Granular sharing — view or edit permissions, with the ability to revoke access at any time.
- Share links can be password-protected and given expiry dates and usage limits.
Audit & accountability
- Field-level change history on records, so you can see who changed what.
- Access logs for every share, link access, invite, and version event.
- Soft deletes — data is retired rather than destroyed outright, supporting recovery and audit.
Platform protection
- Request logging with sensitive-data redaction.
- IP-based protection against suspicious and abusive access patterns.
- Encryption of data in transit.
Responsible disclosure
If you believe you have found a security vulnerability, please report it privately to hello@vistra.report. We appreciate responsible disclosure and will work with you to investigate and resolve valid reports.
Questions about this policy? Contact us or email hello@vistra.report.