General Data Protection Regulation

Last Updated: Oct 26, 2022

As a global application service provider, in accordance with our information security and data privacy practices as Data Processor, Vanta complies with all applicable data privacy regulations. We are providing the following information in order for users and customers to understand our compliance posture.

Questions and comments can be sent to:


Individual Responsible for GDPR Compliance

Matt Cooper, Principal, Cybersecurity & Data Privacy

Purpose of Processing

Continuous security and compliance monitoring and audit readiness platform which includes security awareness education and compliance workflow management.

Notice regarding the collection and use of Personally Identifiable Information (PII) can be found here:

Lawful Basis for Collection & Processing

All PII collected and processed within Vanta is in accordance with a Master Services Agreement between Vanta and the Data Controller

Data Subject Access Requests (DSAR)

Requests for data access, modification or deletion may be sent to

Data Retention

Customer Data, including PII, is securely deleted from Vanta systems following service termination or upon customer request.

Vanta-controlled PII is deleted in accordance with internal policy, when it no longer has business value, or upon Data Subject request

Data Protection & Information Security

Vanta maintains a comprehensive information security management system to protect and preserve the confidentiality, integrity and availability of Customer Data, which is audited annually by a qualified third party assessor.
Our Data Security Statement can be found here:

Our current SOC 2 Type II Report is available upon request.

Breach Notification

Any breach of PII will be promptly reported to Customers, Data Subjects and Data Authorities in accordance with our Incident Response Policy and all applicable regulatory requirements.

Get compliant and
build trust, fast.