VenturiBase Security and Data Policy
Effective Date: December 1, 2025
VenturiBase, LLC (hereinafter, "VenturiBase," "we," "us," or "our") is committed to protecting the security, confidentiality, and integrity of Client data. This Security and Data Policy describes the technical, organizational, and procedural measures we employ to safeguard your data when you use our Services. This Policy supplements and should be read in conjunction with our Terms of Service and Privacy Policy.
1. OUR COMMITMENT TO DATA SECURITYVenturiBase understands that you are entrusting us with your project management data, which may include sensitive business information. We take this responsibility seriously. This Policy documents our commitments to you regarding how we handle, protect, and limit our use of your data.
CORE COMMITMENTS:
(a) YOUR DATA IS YOURS: You retain full ownership of all data you provide to VenturiBase. We claim no ownership rights over your Planning Data.
(b) WE NEVER SELL YOUR DATA: VenturiBase does not sell, rent, lease, or trade your data to any third party for any purpose whatsoever.
(c) WE NEVER SHARE YOUR DATA: VenturiBase does not share your Planning Data with any third party except as strictly necessary to provide the Services (such as cloud infrastructure providers) and as disclosed in our Privacy Policy.
(d) WE NEVER USE YOUR DATA FOR OUR BENEFIT: VenturiBase does not use your Planning Data for analytics, benchmarking, machine learning training, product development insights, or any other purpose that benefits VenturiBase or other clients.
(e) YOUR DATA IS ISOLATED: Your data is logically isolated from other clients' data. No other client can access your data, and you cannot access theirs.
2. ENCRYPTION2.1 Encryption in TransitALL data transmitted between your systems and VenturiBase is encrypted using Transport Layer Security (TLS) 1.3 or higher. This includes:
(a) All communications between your browser and our Website
(b) All API communications between our Services and third-party integrations (Jira, Azure DevOps, etc.)
(c) All internal communications between VenturiBase systems
(d) All communications with our cloud infrastructure providers
We enforce HTTPS for all connections. Unencrypted HTTP connections are automatically redirected to HTTPS. We do not support deprecated protocols such as SSL 3.0, TLS 1.0, or TLS 1.1.
2.2 Encryption at RestALL data stored by VenturiBase is encrypted at rest using AES-256 encryption or equivalent. This includes:
(a) Planning Data stored in our databases
(b) Account information and credentials
(c) Backup data
(d) Log files containing any potentially sensitive information
Encryption keys are managed using industry-standard key management practices, with keys rotated regularly and stored separately from encrypted data.
3. DATA ISOLATION AND MULTI-TENANCYVenturiBase operates a multi-tenant architecture with strict logical isolation between clients:
(a) Logical Isolation: Each client's data is logically separated at the database level. Access controls ensure that queries can only return data belonging to the authenticated client.
(b) Authentication Boundary: All data access requires authentication. No data is accessible without valid credentials tied to a specific client account.
(c) No Cross-Client Access: There is no mechanism, administrative or otherwise, for one client to access another client's Planning Data.
(d) Administrative Access Controls: VenturiBase personnel access to client data is strictly limited, logged, and auditable. Access is granted only on a need-to-know basis for support purposes and only with appropriate authorization.
4. DATA HANDLING COMMITMENTS4.1 What We Do NOT Do With Your DataVenturiBase makes the following binding commitments regarding your Planning Data:
(a) NO ANALYTICS ON YOUR DATA: We do not perform analytics, data mining, or statistical analysis on your Planning Data for any purpose other than providing the Services directly to you.
(b) NO MACHINE LEARNING TRAINING: We do not use your Planning Data to train machine learning models, artificial intelligence systems, or any automated learning systems. This includes our own AI-powered features - these are powered by third-party AI services that process your data only for the purpose of returning results to you, and do not retain or train on your data.
(c) NO AGGREGATION: We do not aggregate your Planning Data with other clients' data for benchmarking, research, or any other purpose.
(d) NO PROFILING: We do not create profiles or insights about your organization based on your Planning Data for any purpose other than providing the Services to you.
(e) NO SECONDARY USES: We do not use your Planning Data for any purpose other than providing the Services as described in our Terms of Service.
4.2 AI and Machine Learning FeaturesVenturiBase may offer AI-powered features such as epic discovery, planning recommendations, and intelligent suggestions. These features work as follows:
(a) Processing Only: AI features process your data only to provide results directly to you during your session.
(b) No Training: Your data is not used to train or improve AI models. Any AI models we use are either pre-trained on public data or are general-purpose models provided by third parties.
(c) Third-Party AI Providers: Where we use third-party AI services, those providers are contractually prohibited from retaining, training on, or using your data for any purpose other than processing your request.
(d) Transparency: We will clearly identify which features are AI-powered and provide information about how they work.
5. ACCESS CONTROLS5.1 Client Access ControlsVenturiBase provides the following access control mechanisms for clients:
(a) Role-Based Access: Clients can define roles and permissions for their team members.
(b) Authentication: We support secure authentication methods including strong passwords with complexity requirements.
(c) Session Management: Sessions are secured with encrypted tokens, automatic timeout after periods of inactivity, and the ability to terminate active sessions.
5.2 VenturiBase Personnel AccessAccess to client data by VenturiBase personnel is strictly controlled:
(a) Principle of Least Privilege: Employees are granted the minimum access necessary to perform their job functions.
(b) Access Logging: All access to production systems and client data is logged and auditable.
(c) Background Checks: Employees with access to client data undergo background checks as permitted by law.
(d) Training: All employees receive security awareness training upon hire and annually thereafter.
(e) Need-Based Access: Production data access requires documented business justification and management approval.
6. INFRASTRUCTURE SECURITY6.1 Cloud InfrastructureVenturiBase Services are hosted on reputable cloud infrastructure providers that maintain industry-standard security certifications. Our infrastructure includes:
(a) Geographically distributed data centers for reliability
(b) Physical security controls including access restrictions, surveillance, and environmental controls
(c) Network security including firewalls, intrusion detection, and DDoS protection
(d) Regular security assessments and penetration testing
6.2 Network Security(a) Firewall Protection: All systems are protected by firewalls configured to allow only necessary traffic.
(b) Intrusion Detection: We employ intrusion detection and prevention systems to monitor for malicious activity.
(c) DDoS Protection: Our infrastructure includes protection against distributed denial-of-service attacks.
(d) Network Segmentation: Production systems are segmented from development and testing environments.
7. DATA BACKUP AND RECOVERY7.1 Backup Practices(a) Regular Backups: Client data is backed up regularly to ensure recoverability.
(b) Encrypted Backups: All backup data is encrypted using the same standards as production data.
(c) Geographically Distributed: Backups are stored in geographically separate locations from primary data.
(d) Backup Testing: We regularly test backup restoration procedures to ensure recoverability.
7.2 Disaster RecoveryVenturiBase maintains a disaster recovery plan designed to restore Services in the event of a significant incident. Our objectives include:
(a) Recovery Time: We aim to restore Services within 24 hours of a significant incident.
(b) Recovery Point: We aim to minimize data loss, targeting recovery to within 24 hours of the incident.
(c) Regular Testing: We regularly test our disaster recovery procedures.
8. INCIDENT RESPONSE8.1 Security Incident HandlingIn the event of a security incident that affects Client data, VenturiBase will:
(a) Containment: Take immediate steps to contain the incident and prevent further unauthorized access.
(b) Investigation: Conduct a thorough investigation to determine the scope and impact of the incident.
(c) Notification: Notify affected Clients without undue delay, and in any event within 72 hours of becoming aware of a breach involving their Personal Information, as required by applicable law.
(d) Remediation: Implement measures to prevent recurrence of similar incidents.
(e) Documentation: Maintain records of security incidents and response actions.
8.2 Client NotificationSecurity incident notifications will include, to the extent known:
(a) A description of the nature of the incident
(b) The categories and approximate number of records concerned
(c) The likely consequences of the incident
(d) The measures taken or proposed to address the incident
(e) Contact information for further inquiries
9. DATA RETENTION AND DELETION9.1 Retention PeriodsVenturiBase retains data only as long as necessary to provide the Services:
(a) Planning Data: Retained while your account is active. Deleted within 30 days of account termination.
(b) Account Data: Retained while your account is active and for a reasonable period thereafter for legal and business purposes.
(c) Billing Records: Retained as required by applicable tax and financial regulations.
(d) Logs: System and security logs are retained for up to 90 days for security and troubleshooting purposes.
9.2 Data DeletionUpon termination of your account:
(a) You may request an export of your Planning Data within 30 days of termination.
(b) After the 30-day period (or earlier upon your request), we will delete your Planning Data from our production systems.
(c) Planning Data may persist in encrypted backups for up to 90 days, after which backup cycles will result in deletion.
(d) Deletion is permanent and irreversible.
9.3 Right to DeletionYou may request deletion of your Planning Data at any time by contacting security@venturibase.com. We will process deletion requests within 30 days.
10. THIRD-PARTY INTEGRATIONS10.1 Integration SecurityWhen you connect VenturiBase to third-party tools such as Jira or Azure DevOps:
(a) Authorized Access Only: We access third-party tools only through APIs and methods authorized by you and the third-party provider.
(b) Minimal Permissions: We request only the permissions necessary to provide the Services.
(c) Credential Security: API keys and access tokens are encrypted at rest and in transit.
(d) No Credential Storage Beyond Necessity: We do not store your third-party credentials longer than necessary to provide the Services.
10.2 Third-Party Data HandlingData retrieved from third-party integrations is subject to this Security Policy:
(a) Same protections as directly uploaded data
(b) Same encryption standards
(c) Same access controls
(d) Same deletion procedures
11. COMPLIANCE AND CERTIFICATIONS11.1 Regulatory ComplianceVenturiBase is designed to help Clients comply with applicable data protection regulations:
(a) GDPR: We provide mechanisms for data subject rights, data portability, and deletion as required by the General Data Protection Regulation.
(b) CCPA/CPRA: We provide mechanisms for California residents to exercise their rights under the California Consumer Privacy Act and California Privacy Rights Act.
(c) Data Processing: We are prepared to enter into Data Processing Agreements (DPAs) with Clients who require them.
11.2 Security Assessments(a) Vulnerability Scanning: We conduct regular vulnerability scans of our systems.
(b) Penetration Testing: We conduct periodic penetration testing by qualified security professionals.
(c) Code Review: Security is considered throughout our development process, including code reviews.
12. CLIENT RESPONSIBILITIESWhile VenturiBase implements robust security measures, security is a shared responsibility. Clients are responsible for:
(a) Credential Security: Maintaining the confidentiality of account credentials and API keys.
(b) Access Management: Managing user access within their organization, including promptly removing access for departed employees.
(c) Data Classification: Ensuring that data uploaded to VenturiBase is appropriate for cloud storage under the Client's own policies.
(d) Reporting: Promptly reporting any suspected security incidents or vulnerabilities to security@venturibase.com.
(e) Third-Party Authorization: Ensuring proper authorization before connecting third-party tools to VenturiBase.
13. CHANGES TO THIS POLICYVenturiBase reserves the right to update this Security and Data Policy. Material changes will be communicated to Clients via email or through the Services at least 30 days before taking effect. Continued use of the Services after changes become effective constitutes acceptance of the updated Policy.
14. CONTACT INFORMATIONFor questions about this Security and Data Policy, to report a security concern, or to exercise your data rights, please contact:
VenturiBase Security Team
Email: security@venturibase.com
For general inquiries:
VenturiBase, LLC
Email: support@venturibase.com
Website: https://www.venturibase.com
15. SUMMARY OF COMMITMENTSFor quick reference, here are VenturiBase's core security and data commitments:
DATA OWNERSHIP: Your data belongs to you. Always.
ENCRYPTION: 100% encryption at rest (AES-256) and in transit (TLS 1.3).
NO SELLING: We never sell your data. Period.
NO SHARING: We never share your data except as needed to provide Services.
NO TRAINING: We never use your data to train AI or ML models.
NO ANALYTICS: We never analyze your data for our benefit.
ISOLATION: Your data is isolated from all other clients.
DELETION: Your data is deleted when you ask, or within 30 days of account termination.
TRANSPARENCY: We will notify you of security incidents affecting your data.
VenturiBase, LLC (hereinafter, "VenturiBase," "we," "us," or "our") is committed to protecting the security, confidentiality, and integrity of Client data. This Security and Data Policy describes the technical, organizational, and procedural measures we employ to safeguard your data when you use our Services. This Policy supplements and should be read in conjunction with our Terms of Service and Privacy Policy.
1. OUR COMMITMENT TO DATA SECURITYVenturiBase understands that you are entrusting us with your project management data, which may include sensitive business information. We take this responsibility seriously. This Policy documents our commitments to you regarding how we handle, protect, and limit our use of your data.
CORE COMMITMENTS:
(a) YOUR DATA IS YOURS: You retain full ownership of all data you provide to VenturiBase. We claim no ownership rights over your Planning Data.
(b) WE NEVER SELL YOUR DATA: VenturiBase does not sell, rent, lease, or trade your data to any third party for any purpose whatsoever.
(c) WE NEVER SHARE YOUR DATA: VenturiBase does not share your Planning Data with any third party except as strictly necessary to provide the Services (such as cloud infrastructure providers) and as disclosed in our Privacy Policy.
(d) WE NEVER USE YOUR DATA FOR OUR BENEFIT: VenturiBase does not use your Planning Data for analytics, benchmarking, machine learning training, product development insights, or any other purpose that benefits VenturiBase or other clients.
(e) YOUR DATA IS ISOLATED: Your data is logically isolated from other clients' data. No other client can access your data, and you cannot access theirs.
2. ENCRYPTION2.1 Encryption in TransitALL data transmitted between your systems and VenturiBase is encrypted using Transport Layer Security (TLS) 1.3 or higher. This includes:
(a) All communications between your browser and our Website
(b) All API communications between our Services and third-party integrations (Jira, Azure DevOps, etc.)
(c) All internal communications between VenturiBase systems
(d) All communications with our cloud infrastructure providers
We enforce HTTPS for all connections. Unencrypted HTTP connections are automatically redirected to HTTPS. We do not support deprecated protocols such as SSL 3.0, TLS 1.0, or TLS 1.1.
2.2 Encryption at RestALL data stored by VenturiBase is encrypted at rest using AES-256 encryption or equivalent. This includes:
(a) Planning Data stored in our databases
(b) Account information and credentials
(c) Backup data
(d) Log files containing any potentially sensitive information
Encryption keys are managed using industry-standard key management practices, with keys rotated regularly and stored separately from encrypted data.
3. DATA ISOLATION AND MULTI-TENANCYVenturiBase operates a multi-tenant architecture with strict logical isolation between clients:
(a) Logical Isolation: Each client's data is logically separated at the database level. Access controls ensure that queries can only return data belonging to the authenticated client.
(b) Authentication Boundary: All data access requires authentication. No data is accessible without valid credentials tied to a specific client account.
(c) No Cross-Client Access: There is no mechanism, administrative or otherwise, for one client to access another client's Planning Data.
(d) Administrative Access Controls: VenturiBase personnel access to client data is strictly limited, logged, and auditable. Access is granted only on a need-to-know basis for support purposes and only with appropriate authorization.
4. DATA HANDLING COMMITMENTS4.1 What We Do NOT Do With Your DataVenturiBase makes the following binding commitments regarding your Planning Data:
(a) NO ANALYTICS ON YOUR DATA: We do not perform analytics, data mining, or statistical analysis on your Planning Data for any purpose other than providing the Services directly to you.
(b) NO MACHINE LEARNING TRAINING: We do not use your Planning Data to train machine learning models, artificial intelligence systems, or any automated learning systems. This includes our own AI-powered features - these are powered by third-party AI services that process your data only for the purpose of returning results to you, and do not retain or train on your data.
(c) NO AGGREGATION: We do not aggregate your Planning Data with other clients' data for benchmarking, research, or any other purpose.
(d) NO PROFILING: We do not create profiles or insights about your organization based on your Planning Data for any purpose other than providing the Services to you.
(e) NO SECONDARY USES: We do not use your Planning Data for any purpose other than providing the Services as described in our Terms of Service.
4.2 AI and Machine Learning FeaturesVenturiBase may offer AI-powered features such as epic discovery, planning recommendations, and intelligent suggestions. These features work as follows:
(a) Processing Only: AI features process your data only to provide results directly to you during your session.
(b) No Training: Your data is not used to train or improve AI models. Any AI models we use are either pre-trained on public data or are general-purpose models provided by third parties.
(c) Third-Party AI Providers: Where we use third-party AI services, those providers are contractually prohibited from retaining, training on, or using your data for any purpose other than processing your request.
(d) Transparency: We will clearly identify which features are AI-powered and provide information about how they work.
5. ACCESS CONTROLS5.1 Client Access ControlsVenturiBase provides the following access control mechanisms for clients:
(a) Role-Based Access: Clients can define roles and permissions for their team members.
(b) Authentication: We support secure authentication methods including strong passwords with complexity requirements.
(c) Session Management: Sessions are secured with encrypted tokens, automatic timeout after periods of inactivity, and the ability to terminate active sessions.
5.2 VenturiBase Personnel AccessAccess to client data by VenturiBase personnel is strictly controlled:
(a) Principle of Least Privilege: Employees are granted the minimum access necessary to perform their job functions.
(b) Access Logging: All access to production systems and client data is logged and auditable.
(c) Background Checks: Employees with access to client data undergo background checks as permitted by law.
(d) Training: All employees receive security awareness training upon hire and annually thereafter.
(e) Need-Based Access: Production data access requires documented business justification and management approval.
6. INFRASTRUCTURE SECURITY6.1 Cloud InfrastructureVenturiBase Services are hosted on reputable cloud infrastructure providers that maintain industry-standard security certifications. Our infrastructure includes:
(a) Geographically distributed data centers for reliability
(b) Physical security controls including access restrictions, surveillance, and environmental controls
(c) Network security including firewalls, intrusion detection, and DDoS protection
(d) Regular security assessments and penetration testing
6.2 Network Security(a) Firewall Protection: All systems are protected by firewalls configured to allow only necessary traffic.
(b) Intrusion Detection: We employ intrusion detection and prevention systems to monitor for malicious activity.
(c) DDoS Protection: Our infrastructure includes protection against distributed denial-of-service attacks.
(d) Network Segmentation: Production systems are segmented from development and testing environments.
7. DATA BACKUP AND RECOVERY7.1 Backup Practices(a) Regular Backups: Client data is backed up regularly to ensure recoverability.
(b) Encrypted Backups: All backup data is encrypted using the same standards as production data.
(c) Geographically Distributed: Backups are stored in geographically separate locations from primary data.
(d) Backup Testing: We regularly test backup restoration procedures to ensure recoverability.
7.2 Disaster RecoveryVenturiBase maintains a disaster recovery plan designed to restore Services in the event of a significant incident. Our objectives include:
(a) Recovery Time: We aim to restore Services within 24 hours of a significant incident.
(b) Recovery Point: We aim to minimize data loss, targeting recovery to within 24 hours of the incident.
(c) Regular Testing: We regularly test our disaster recovery procedures.
8. INCIDENT RESPONSE8.1 Security Incident HandlingIn the event of a security incident that affects Client data, VenturiBase will:
(a) Containment: Take immediate steps to contain the incident and prevent further unauthorized access.
(b) Investigation: Conduct a thorough investigation to determine the scope and impact of the incident.
(c) Notification: Notify affected Clients without undue delay, and in any event within 72 hours of becoming aware of a breach involving their Personal Information, as required by applicable law.
(d) Remediation: Implement measures to prevent recurrence of similar incidents.
(e) Documentation: Maintain records of security incidents and response actions.
8.2 Client NotificationSecurity incident notifications will include, to the extent known:
(a) A description of the nature of the incident
(b) The categories and approximate number of records concerned
(c) The likely consequences of the incident
(d) The measures taken or proposed to address the incident
(e) Contact information for further inquiries
9. DATA RETENTION AND DELETION9.1 Retention PeriodsVenturiBase retains data only as long as necessary to provide the Services:
(a) Planning Data: Retained while your account is active. Deleted within 30 days of account termination.
(b) Account Data: Retained while your account is active and for a reasonable period thereafter for legal and business purposes.
(c) Billing Records: Retained as required by applicable tax and financial regulations.
(d) Logs: System and security logs are retained for up to 90 days for security and troubleshooting purposes.
9.2 Data DeletionUpon termination of your account:
(a) You may request an export of your Planning Data within 30 days of termination.
(b) After the 30-day period (or earlier upon your request), we will delete your Planning Data from our production systems.
(c) Planning Data may persist in encrypted backups for up to 90 days, after which backup cycles will result in deletion.
(d) Deletion is permanent and irreversible.
9.3 Right to DeletionYou may request deletion of your Planning Data at any time by contacting security@venturibase.com. We will process deletion requests within 30 days.
10. THIRD-PARTY INTEGRATIONS10.1 Integration SecurityWhen you connect VenturiBase to third-party tools such as Jira or Azure DevOps:
(a) Authorized Access Only: We access third-party tools only through APIs and methods authorized by you and the third-party provider.
(b) Minimal Permissions: We request only the permissions necessary to provide the Services.
(c) Credential Security: API keys and access tokens are encrypted at rest and in transit.
(d) No Credential Storage Beyond Necessity: We do not store your third-party credentials longer than necessary to provide the Services.
10.2 Third-Party Data HandlingData retrieved from third-party integrations is subject to this Security Policy:
(a) Same protections as directly uploaded data
(b) Same encryption standards
(c) Same access controls
(d) Same deletion procedures
11. COMPLIANCE AND CERTIFICATIONS11.1 Regulatory ComplianceVenturiBase is designed to help Clients comply with applicable data protection regulations:
(a) GDPR: We provide mechanisms for data subject rights, data portability, and deletion as required by the General Data Protection Regulation.
(b) CCPA/CPRA: We provide mechanisms for California residents to exercise their rights under the California Consumer Privacy Act and California Privacy Rights Act.
(c) Data Processing: We are prepared to enter into Data Processing Agreements (DPAs) with Clients who require them.
11.2 Security Assessments(a) Vulnerability Scanning: We conduct regular vulnerability scans of our systems.
(b) Penetration Testing: We conduct periodic penetration testing by qualified security professionals.
(c) Code Review: Security is considered throughout our development process, including code reviews.
12. CLIENT RESPONSIBILITIESWhile VenturiBase implements robust security measures, security is a shared responsibility. Clients are responsible for:
(a) Credential Security: Maintaining the confidentiality of account credentials and API keys.
(b) Access Management: Managing user access within their organization, including promptly removing access for departed employees.
(c) Data Classification: Ensuring that data uploaded to VenturiBase is appropriate for cloud storage under the Client's own policies.
(d) Reporting: Promptly reporting any suspected security incidents or vulnerabilities to security@venturibase.com.
(e) Third-Party Authorization: Ensuring proper authorization before connecting third-party tools to VenturiBase.
13. CHANGES TO THIS POLICYVenturiBase reserves the right to update this Security and Data Policy. Material changes will be communicated to Clients via email or through the Services at least 30 days before taking effect. Continued use of the Services after changes become effective constitutes acceptance of the updated Policy.
14. CONTACT INFORMATIONFor questions about this Security and Data Policy, to report a security concern, or to exercise your data rights, please contact:
VenturiBase Security Team
Email: security@venturibase.com
For general inquiries:
VenturiBase, LLC
Email: support@venturibase.com
Website: https://www.venturibase.com
15. SUMMARY OF COMMITMENTSFor quick reference, here are VenturiBase's core security and data commitments:
DATA OWNERSHIP: Your data belongs to you. Always.
ENCRYPTION: 100% encryption at rest (AES-256) and in transit (TLS 1.3).
NO SELLING: We never sell your data. Period.
NO SHARING: We never share your data except as needed to provide Services.
NO TRAINING: We never use your data to train AI or ML models.
NO ANALYTICS: We never analyze your data for our benefit.
ISOLATION: Your data is isolated from all other clients.
DELETION: Your data is deleted when you ask, or within 30 days of account termination.
TRANSPARENCY: We will notify you of security incidents affecting your data.