Skip to main content
Variable is committed to maintaining the security, confidentiality, and integrity of our customer’s data. We have implemented a comprehensive security program that includes administrative, technical, and physical safeguards to protect the data that we process. You can see more details in our Trust Center.

How your data is protected

Variable’s security program covers the people, processes, and infrastructure handling your data:
  • Encryption - data is encrypted in transit (TLS) and at rest
  • SOC 2 Type II - independently audited controls covering security, availability, and confidentiality
  • Regular testing - third-party penetration tests and continuous internal security reviews
  • Role-based access - owners, admins, contributors, and viewers, with per-organization scoping
  • SSO - single sign-on available for enterprise plans
For the full set of controls, certifications, and sub-processors, visit the Trust Center.

Reporting a vulnerability

If you believe you’ve found a security vulnerability in Variable, please report it to us privately at security@variable.co. Please do not file a public issue. Please include:
  • A description of the issue and its potential impact
  • Steps to reproduce, or a proof-of-concept
  • The affected component, endpoint, or version (if known)
  • Any relevant logs, screenshots, or sample payloads
A machine-readable version of this policy is published at /.well-known/security.txt per RFC 9116.

What to expect from us

When you report a vulnerability in good faith, we will:
  • Acknowledge receipt within 3 business days
  • Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline
  • Credit you in the release notes once a fix is shipped, if you’d like

Scope

In scope:
  • The Variable web application (app.variable.global)
  • The Variable public API
  • The Variable MCP endpoint
  • Official Variable client libraries and integrations
Out of scope:
  • Findings from automated scanners without a demonstrated impact
  • Denial-of-service attacks, volumetric attacks, or rate-limit testing
  • Social engineering of Variable employees, customers, or partners
  • Physical attacks against Variable offices or infrastructure
  • Issues in third-party services we depend on (please report those directly to the upstream vendor)
  • Vulnerabilities requiring physical access to a user’s device or a fully compromised account

Safe harbor

We will not pursue legal action against researchers who:
  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, data destruction, and service disruption
  • Give us reasonable time to remediate before any public disclosure
  • Only interact with accounts they own or have explicit permission to test

Coordinated disclosure

We prefer coordinated disclosure. Once a fix is deployed, we’re happy to collaborate with you on a public write-up and will credit you appropriately.