Security · Vectis

Certifications · all active

Eight independent audits, one honest posture.

We do not list badges we do not hold. Every certification below is backed by a third-party auditor's report, which we are happy to share under NDA. Request one via contact.

SOC 2 Type II

Annual third-party audit of our security, availability, confidentiality, and processing integrity controls. Report available under NDA.

Last audit · Q1 · 2026Active

ISO 27001 : 2022

International standard for information security management. Covers risk assessment, access control, cryptography, and operational security.

Last audit · Q4 · 2025Active

ISO 27017

Cloud-specific extension to 27001. Controls for shared responsibility between Vectis and our cloud provider, and tenant isolation.

Last audit · Q4 · 2025Active

ISO 27018

Protection of personally identifiable information in public cloud. Applies to every record we process on behalf of a customer.

Last audit · Q4 · 2025Active

GDPR · EU + UK

Full compliance with the General Data Protection Regulation. DPA available on request. Standard contractual clauses in place for transfers.

Last audit · ContinuousActive

CCPA · Aligned

California Consumer Privacy Act. Right to know, right to delete, right to opt out, and no sale of personal information.

Last audit · ContinuousActive

PCI DSS · Level 1

Payment Card Industry Data Security Standard at the highest level. Applies to the card-handling path when customers pay for the platform.

Last audit · Q2 · 2026Active

HIPAA · Ready

Administrative, physical, and technical safeguards required to process protected health information for customers who need it.

Last audit · Q1 · 2026Active

Technical controls

Every pill below is live in production and monitored twenty-four hours a day by our security operations centre.

256-bit AES at restTLS 1.3 in transitHardware security modulesMulti-party computationZero-trust network24 / 7 SOC monitoringQuarterly penetration tests90-day key rotation

Application security

Input validation at the edge with Vine, parameterised ORM binding everywhere.
CORS enforced with an explicit production allowlist.
Rate limiting on every authentication and write endpoint.
Complete audit trail on contract, invoice, wallet, and withdrawal mutations.
HSM-backed signing keys with ninety-day rotation and dual-control releases.

Infrastructure

Private VPC with zero-trust service mesh. No public database endpoints.
Encryption at rest with customer-specific key envelopes on sensitive tables.
Cross-region backups, restore-tested weekly, RPO under fifteen minutes.
Immutable audit logs shipped to write-once storage.
Secrets managed exclusively via managed KMS. Nothing checked into code.

Responsible disclosure

Report vulnerabilities to security@vectis.app. We acknowledge within one working day, triage within three, and coordinate disclosure. We do not take legal action against researchers who follow these guidelines.

Please do not test on production data you did not create.
Please do not run denial-of-service tests.
Please give us reasonable time to fix before publishing.

Sub-processors and DPA

The current list of sub-processors, their purpose, and the data they touch lives on the DPA page. Updates are announced thirty days in advance to account admins.

Security, built for enterprise.

Eight independent audits, one honest posture.

SOC 2 Type II

ISO 27001 : 2022

ISO 27017

ISO 27018

GDPR · EU + UK

CCPA · Aligned

PCI DSS · Level 1

HIPAA · Ready

Technical controls

Application security

Infrastructure

Responsible disclosure

Sub-processors and DPA