Trust Center
How Vectiform protects your studio's data, designs, and brand. Last updated 2026-07-10.
Your brand is yours — full stop
Your product names, brand voice, naming patterns, and customer data are never shared with other studios, never used to name another brand's beads, and never shown outside your account. Your vocabulary is stored as your private data, not in shared code.
Network learning — on your terms
When enabled (the default), your confirmed classifications — dimension facts only, like "glass · purple · 8mm · crackle · bead" — join an anonymous pool that makes recognition smarter for every studio, including yours. Names and brand voice are never in the pool.
One-click opt-out:
One-click opt-out:
POST /api/<your-tenant>/learning {"share": false} — this removes you from both contributing and consuming. No penalty, reversible anytime.AI usage
Photos you scan are processed to classify your inventory and are stored in your private bucket. First-pass recognition runs on Cloudflare Workers AI inside the platform; complex scans may use Anthropic's Claude API. We do not train foundation models on your images; per Anthropic's API terms, API inputs are not used to train their models. AI suggestions are always queued for your approval before entering inventory.
Payments
Card data never touches Vectiform servers — checkout and payouts run entirely on Stripe (PCI-DSS Level 1). Subscriptions honor click-to-cancel: one call, access through your paid period, no further charges, no retention hoops.
Security posture
• All traffic TLS; hosted on Cloudflare's edge (DDoS-protected).
• API keys stored hashed (SHA-256) — we cannot read your key back.
• Per-tenant isolation enforced on every query; webhooks are token-gated and replay-deduplicated; Stripe webhooks are signature-verified with timestamp windows.
• Secrets managed via Cloudflare encrypted secrets; never in code or logs.
• Formal SOC 2 is on our roadmap; this page tracks our current controls honestly in the meantime.
• API keys stored hashed (SHA-256) — we cannot read your key back.
• Per-tenant isolation enforced on every query; webhooks are token-gated and replay-deduplicated; Stripe webhooks are signature-verified with timestamp windows.
• Secrets managed via Cloudflare encrypted secrets; never in code or logs.
• Formal SOC 2 is on our roadmap; this page tracks our current controls honestly in the meantime.
Data portability & deletion
Your inventory, designs, orders, and examples are exportable via the API at any time. Full account deletion on request removes your rows and stored images.