Frequently Asked Questions (FAQ):
Security & Trust
1. CMMC & Government Compliance
Does Vector GFX comply with CMMC 2.0 requirements?
Yes. Vector GFX aligns its internal operations and secure development lifecycle with NIST SP 800-171, the foundation for CMMC 2.0 Level 2 (Advanced). We maintain a "Zero-Knowledge" architecture to ensure our software can be safely used in regulated DOD supply chain environments.
Does Vector GFX have access to the drawings or CUI I create in Canvas X Draw?
No. Vector GFX never sees, stores, or transmits your data. Canvas X Draw is a "Local-First" desktop application. All files, blueprints, and Controlled Unclassified Information (CUI) remain on your local machine or your organization’s internal network.
Is there an "Air-Gapped" version for secure facilities?
Yes. We offer an offline version of Canvas X Draw designed for high-security environments (SCIFs). This version supports offline activation, ensuring the software functions perfectly without ever needing an internet connection.
2. Cyber Defense & Prevention
How does Vector GFX prevent vulnerabilities in its software?
Our Cyber Defense Program (CDP) utilizes a multi-layered approach:
Continuous Scanning: We use Static (SAST) and Dynamic (DAST) analysis to catch code flaws before release.
SBOM Management: We maintain a Software Bill of Materials to monitor and patch third-party libraries.
MFA & Encryption: All source code is housed in a secure AWS enclave protected by Multi-Factor Authentication and the Principle of Least Privilege.
How do I know my installer hasn't been tampered with?
Every production installer for Windows (.exe) and macOS (.dmg) is digitally signed by Vector GFX, Inc. Users should always verify the digital signature in the file properties before installation to ensure authenticity.
What is your policy on patching older versions of Canvas X Draw?
We follow an N-1 Support Model:
Current Version (N): Full security maintenance for Critical, High, and Medium vulnerabilities.
Preceding Version (N-1): Maintenance for Critical security vulnerabilities only.
Legacy (EOL): Software older than N-1 is End-of-Life and does not receive security updates.
3. Vulnerability Disclosure & Response
How do I report a security concern or a bug?
Security Vulnerabilities: Email support@vectorgfx.net (e.g., memory corruption, unauthorized access).
General Bugs: Email support@vectorgfx.net (e.g., tool crashes, UI glitches).
What is your timeline for fixing a reported "Critical" vulnerability?
We acknowledge critical reports within 24 business hours. Our target for releasing a verified "Critical" patch is 30 days.
Does Vector GFX have an Incident Response plan?
Yes. In the event of a verified breach or "Zero-Day" exploit, we follow a formal IR protocol. If customer systems are at risk, we commit to notifying affected users via our Security Advisory mailing list within 72 hours.
4. Researcher "Safe Harbor"
Does Vector GFX allow security research on its products?
Yes. We maintain a Safe Harbor policy for good-faith research. If you follow our disclosure guidelines (no harm, quick reporting, and 90-day confidentiality), we consider your research authorized and will not initiate legal action under the CFAA or DMCA.
What is considered "Out-of-Scope" for security testing?
We do not authorize social engineering (phishing) of our employees, physical security testing of our offices, or testing of our third-party providers (AWS, GitHub, etc.).
5. Compliance Assets
Where can I find technical proof of your security programs?
security.txt: Available at vectorgfx.net/.well-known/security.txt.
Security Advisory Log: Accessible in our online Knowledge Base.
Attestation: Annual security attestation documents are available upon request for Enterprise and Government customers.