Security at VectorLay
Running untrusted workloads on distributed consumer hardware requires serious security. Here's how we protect your data and keep your workloads isolated.
Hardware-Level Isolation
Every workload runs in its own Kata Container—a lightweight VM with a separate kernel. There's no shared attack surface between workloads.
GPU Passthrough via VFIO
GPUs are passed directly to VMs using VFIO. The host system has no GPU drivers loaded, eliminating driver-level attack vectors.
Encrypted Communications
All data in transit is encrypted using TLS 1.3. Control plane communications use WebSocket over HTTPS with certificate pinning.
Zero-Access Architecture
Providers cannot access your workloads. The VM isolation ensures your code, data, and models remain completely private.
Automatic Failover
When nodes fail or become unresponsive, workloads are automatically migrated to healthy nodes with zero data persistence on failed hardware.
Access Controls
Role-based access control, API key management, and audit logging ensure you have complete control over who accesses your resources.
Our Security Model
VectorLay's security model is built on the principle of defense in depth. We assume that any component can be compromised and design our systems to contain potential breaches.
Workload Isolation
Unlike traditional container platforms that share a kernel, we use Kata Containers to provide VM-level isolation. Each workload runs in its own lightweight virtual machine with:
- Dedicated guest kernel (no shared kernel attack surface)
- Isolated memory address space
- Separate network namespace with controlled egress
- No direct access to host filesystem
GPU Security
GPUs are passed through to VMs using VFIO (Virtual Function I/O), which provides:
- Direct hardware access without host driver involvement
- IOMMU-enforced memory isolation
- No ability to access host memory or other VMs
- Complete GPU reset between workloads
Network Security
All network communications are secured:
- TLS 1.3 for all API and WebSocket connections
- WireGuard VPN tunnels for node-to-control-plane communication
- Egress filtering to prevent unauthorized outbound connections
- DDoS protection at the edge proxy layer
Data Protection
Data in Transit
All data transmitted between clients, our control plane, and provider nodes is encrypted using TLS 1.3 with modern cipher suites. We enforce HTTPS everywhere and use HSTS to prevent downgrade attacks.
Data at Rest
Container images and workload data are stored in encrypted volumes. When a workload terminates, all associated data is securely wiped from the provider node.
No Data Persistence
By default, provider nodes do not retain any user data after workload completion. Ephemeral storage is cleared and GPUs are reset between deployments.
Access Controls
- API Keys: Scoped, rotatable credentials for programmatic access
- Organization Roles: Owner, Admin, Member with appropriate permissions
- Provisioning Tokens: One-time use tokens for node registration, hashed storage
- Audit Logs: Comprehensive logging of all authentication and authorization events
Infrastructure Security
Our control plane infrastructure is hosted on secure, SOC 2 compliant cloud providers with:
- Regular security patches and updates
- Network segmentation and firewalls
- Intrusion detection and monitoring
- Regular penetration testing
- Incident response procedures
Vulnerability Disclosure
We take security seriously and appreciate the efforts of security researchers. If you discover a security vulnerability, please report it responsibly:
- Email: security@vectorlay.dev
We commit to acknowledging your report within 48 hours and providing regular updates on our progress. We do not pursue legal action against researchers who follow responsible disclosure practices.
Compliance
We are actively working toward industry compliance certifications:
- SOC 2 Type II: In progress
- GDPR: Compliant
- CCPA: Compliant
Questions about security?
We're happy to discuss our security practices in more detail. Reach out to our security team.
Contact Security Team→