10. Liability Limitation; Damages Exclusion. EXCEPT FOR LIABILITY ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 11, FROM A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER SECTION 8, OR FROM CUSTOMER’S BREACH OF SECTION 3.3: (I) NEITHER PARTY WILL BE LIABLE FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, OR PUNITIVE DAMAGES IN CONNECTION WITH ANY CLAIM OF ANY NATURE ARISING UNDER THIS AGREEMENT, EVEN IF SUCH PARTY HAS BEEN GIVEN ADVANCE NOTICE OF SUCH POSSIBLE DAMAGES, AND (II) EACH PARTY’S MAXIMUM AGGREGATE LIABILITY FOR ALL CLAIMS OF ANY NATURE ARISING OUT OF THIS AGREEMENT WILL NOT EXCEED THE FEES PAID TO VANTA UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. THE ABOVE LIMITIATION SET FORTH IN SUBSECTION (II) ABOVE DOES NOT INCLUDE ANY FEES PAID OR PAYABLE BY CUSTOMER.
12. Publicity. Unless otherwise specified, the Company may use Customer’s name, logo and marks (including marks on Customer Properties) to identify Customer as a Company customer on Company’s website and other marketing materials.
13. Notices. All notices under this Agreement must be in writing and sent via email. Notices will be deemed given five (5) business days after being sent. Notices must be addressed: Support@Vanta.com; and, if to Customer, to Attn: Legal at the contact address set forth in the Order Form (and, for notices permitted to be sent via email, to the email address set forth on the signature page).
14. Entire Agreement. This Agreement represents the entire agreement between Vanta and Customer with respect to Customer’s use of the Subscription Service and the related matters set forth in it. As between Vanta and Customer, this Agreement expressly supersedes (i) any terms or conditions stated in a Customer purchase order or similar document, whether submitted or executed before or after the Effective Date, and (ii) any other contemporaneous or prior agreements or commitments regarding the Subscription Service or the other subject matter of this Agreement. This Agreement may be modified only in a written amendment or agreement executed by an authorized representative of each party.
15. General. Neither party is liable for delay or default under this Agreement if caused by conditions beyond its reasonable control (e.g., acts of God). This Agreement is governed by the internal laws of the State of California, without regard to its conflicts of law rules, and each party hereby consents to exclusive jurisdiction and venue in the state and federal courts located in San Francisco County, California for any dispute arising out of this Agreement. Either party may assign this Agreement in connection with a merger or similar transaction, or to a company acquiring substantially all of its assets, equity, or business, without any requirement to obtain permission for such assignment; otherwise, neither party may assign this Agreement to a third party without the written consent of the other party in advance. This Agreement will bind and benefit the parties, their successors, and their permitted assigns. Each party is an independent contractor to (and may not act on behalf of or bind) the other. The waiver of any breach of any provision of this Agreement will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach. This Agreement may be signed in counterparts and by facsimile, an e-sign tool, or PDF.
16. Foreign Corrupt Practices Act. Vanta agrees to comply with and not to perform any act that would subject Customer to sanctions under the U.S. Foreign Corrupt Practices Act as amended from time to time. For its part, Customer agrees that it does not desire and will not request any service or action by Vanta that would or might constitute a violation of the U.S. Foreign Corrupt Practices Act.
In general, Vanta always attempts to limit access to read-only permissions. We are a monitoring tool, and do not make any changes to your systems, we simply need limited permissions to look at how you have configured your systems and make suggestions to improve your security.
Unfortunately, some APIs do not support a granularity level that restricts to read-only permissions on the resources to which we need access. In these cases, we must take read/write permissions despite not modifying a user's environment.
This document lists all of our integrations, the permissions model that the integration uses, and notes where those permissions are overly broad for our use-case. When the permissions are broader that we require, we’ve noted why we ask for them and any known issues with the integration.
We typically fetch a list of user accounts from all services. This typically contains the date that the account was created, a user ID, and potentially an email address associated with the account. This allows Vanta to track employees accounts in external services and ensure that they are deprovisioned when employees are offboarded.
In addition to the user accounts on these services, Vanta also fetches the resources you have configured in your infrastructure accounts. This allows Vanta to do inventory management as well as alert when cloud resourcing falls out of compliance.
Connection: AWS Role
Vanta needs read-only AWS credentials with limited permissions in order to monitor your AWS configurations. An AWS administrator for your organization can create the necessary IAM role through the AWS UI.
Vanta connects with the SecurityAudit role. More information on this role can be found on the AWS website.
In addition to the AWS provided permissions, Vanta also asks for dynamodb:ListTagsOfResource and sqs:ListQueueTags in order to run tag-based filtering on resources.
The permissions don’t allow us to read any of your data: for example the data in your S3 buckets. We simply read metadata like a list of your buckets, their names, their tags, their IAM bindings, etc.
Connection: OAuth at a global scope
The teams endpoint is what allows us to fetch the different users in your Heroku account so that you can view and manage all of your company’s Heroku users. Accessing the teams endpoint requires global access.
Additionally, in order for us to fetch each of your apps’ ssl-endpoints, Heroku unfortunately has a known issue where they require a scope with write access to your account. If you are a Heroku enterprise customer, you can restrict permissions using App Permissions, which can limit the scope of what Vanta is allowed to do.
Connection: Service Account
To link GCP, you can create a GCP Service Account in one of your GCP projects.
You will manage this service account, which means: you can deprovision it at any time, you control the permissions it’s granted, and you can manipulate the granularity without needing to re-link to Vanta.
A private key is generated for the service account, and this private key is uploaded to vanta.com/manage/credentials.
Identity providers provide the list of employees to Vanta. We use this to track when an employee leaves the company. We also fetch additional metadata such as whether they have two factor authentication enabled and when they last logged in.
Vanta requests OAuth scopes:
View domains related to your customers
View groups on your domains
View users on your domain
Manage data access permissions for your users on your domain (*This can be removed upon request, though it may disable some functionality in the product -- please reach out to your customer success representative for more information.)
Connection: API Token
Vanta uses this API token for two purposes:
Vanta connects to version control systems to check whether best practices are being followed for code management and deploying changes. Examples of data that Vanta verifies are whether pull request templates are being used and whether branch protection is enforcing code reviews. A list of pull requests is also fetched so that auditors can check whether changes are approved before being deployed.
Connection: GitHub App
Scopes: read-only access to code, admin, commit status, issues, members, meta-data and pull requests
- code: to look for a PR template in repo contents
- admin: used to check branch protection
- commit statuses/PRs: used to demonstrate your code review process to auditors
- issues: check for security issue SLAs
- members: to check who has access to your repositories
- metadata: from GitHub's documentation, "GitHub Apps have the Read-only metadata permission by default. The metadata permission provides access to a collection of read-only endpoints with metadata for various resources.”
Connection: OAuth - read/write api access
Reason: GitLab does not have read-scoped api access
Connection: OAuth - read your account, read repos, admin and read team membership
We fetch the same data from all task trackers.
Connection: OAuth - default and email scopes. Asana scopes are documented here.
Connection: API Token
The Clubhouse API uses token-based authentication. More information can be found in their documentation.
Connection: API token for a specific user
The permissions that Vanta receives will match the account the token is created on. For example, if you send an API token from a Jira user/account that is limited to read access, the API token given to Vanta will only have read permissions.
Connection: API Token
Connection: API Key
The API token allows access to data in all projects that the user that created it is a member of. More details about the API token can be found on the Pivotal Tracker website.
Connection: OAuth - read scope. Documentation is available on the Trello website.
Human resources integrations are used for fetching a list of background checks on employees.
Connection: Access token
Connection: API Key
Connection: Application and API Key. User accounts and the list of alarms/monitors is fetched from Datadog.
Connection: OAuth - scopes team:read, users:read
Connection: API Key