> ## Documentation Index > Fetch the complete documentation index at: https://docs.variable.global/llms.txt > Use this file to discover all available pages before exploring further. # Security Variable is committed to maintaining the security, confidentiality, and integrity of our customer's data. We have implemented a comprehensive security program that includes administrative, technical, and physical safeguards to protect the data that we process. You can see more details in our [Trust Center](https://trust.variable.global). ## How your data is protected Variable's security program covers the people, processes, and infrastructure handling your data: * **Encryption** - data is encrypted in transit (TLS) and at rest * **SOC 2 Type II** - independently audited controls covering security, availability, and confidentiality * **Regular testing** - third-party penetration tests and continuous internal security reviews * **Role-based access** - owners, admins, contributors, and viewers, with per-organization scoping * **SSO** - single sign-on available for enterprise plans For the full set of controls, certifications, and sub-processors, visit the [Trust Center](https://trust.variable.global). ## Reporting a vulnerability If you believe you've found a security vulnerability in Variable, please report it to us privately at **[security@variable.co](mailto:security@variable.co)**. Please do not file a public issue. Please include: * A description of the issue and its potential impact * Steps to reproduce, or a proof-of-concept * The affected component, endpoint, or version (if known) * Any relevant logs, screenshots, or sample payloads A machine-readable version of this policy is published at [`/.well-known/security.txt`](https://app.variable.global/.well-known/security.txt) per [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116). ## What to expect from us When you report a vulnerability in good faith, we will: * Acknowledge receipt within **3 business days** * Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline * Credit you in the release notes once a fix is shipped, if you'd like ## Scope In scope: * The Variable web application (app.variable.global) * The Variable public API * The Variable MCP endpoint * Official Variable client libraries and integrations Out of scope: * Findings from automated scanners without a demonstrated impact * Denial-of-service attacks, volumetric attacks, or rate-limit testing * Social engineering of Variable employees, customers, or partners * Physical attacks against Variable offices or infrastructure * Issues in third-party services we depend on (please report those directly to the upstream vendor) * Vulnerabilities requiring physical access to a user's device or a fully compromised account ## Safe harbor We will not pursue legal action against researchers who: * Make a good-faith effort to comply with this policy * Avoid privacy violations, data destruction, and service disruption * Give us reasonable time to remediate before any public disclosure * Only interact with accounts they own or have explicit permission to test ## Coordinated disclosure We prefer coordinated disclosure. Once a fix is deployed, we're happy to collaborate with you on a public write-up and will credit you appropriately.