Vanta Information Security Addendum

  1. Introduction
    Security is at the heart of Vanta’s mission. This Information Security Addendum (the “Addendum”) describes Vanta’s comprehensive information security program for the Services and Customer Information. Capitalized terms not defined in this Addendum have the meanings set forth in the MSA at vanta.com/terms.
  2. Information Security Program
    Vanta maintains an ISO 27001-compliant risk-based information security governance program. The framework for Vanta’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Information.

    Vanta has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, formally assigning roles and responsibilities for information security and data privacy functions, and periodically reviewing and updating its information security program as appropriate.
  3. Access Controls
    Vanta uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication and Single Sign On (SSO). All production access requires the use of two-factor authentication, and production network infrastructure is securely configured to industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
  4. Device Security
    Corporate devices that process Customer Information are centrally managed and are equipped with mobile device management software and anti-malware protection, with security configurations such as disk encryption, screen lock configuration, and software updates enforced. Endpoint security alerts are monitored with 24/7/365 coverage.
  5. Awareness and Training
    Vanta provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta’s own platform. In addition, all new employees attend a mandatory onboarding session centered around key security principles. All new engineers also attend a mandatory onboarding session focused on secure coding principles and practices.
  6. Data Encryption
    Vanta has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Vanta uses recommended secure cipher suites and protocols to encrypt traffic in transit (i.e. TLS 1.2).

    Databases housing sensitive Customer Information are encrypted at rest. Vanta uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and at rest. Vanta has controls in place for encryption-at-rest using industry standard AES-256 encryption to secure volume (disk) data and for key management.
  7. Deletion of Customer Information
    During the term of the Agreement, Customer may delete Customer Information using the self-service functionality available within the Services. Following the effective date of termination or expiration of a Customer’s agreement for the Services, Vanta will delete Customer Information by expunging such Customer’s unique instance of the Vanta Services within 365 days, or earlier upon request.
  8. Customer-Configurable Security Controls
    Vanta provides a variety of configurable security controls that allow Customer to manage and protect its own use of the Services, including SSO authentication for administrative and user access and role-based access controls and permissions for access to resources. Customer is responsible for appropriately configuring such controls taking into account the nature of its Customer Information.
  9. Incident Response
    Vanta maintains an incident response plan with measures to be followed in the event of any breach of security that causes the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Information. Such measures include prompt investigation and notification of Customer in accordance with the Agreement and DPA.
  10. Penetration testing
    Vanta engages a third party to conduct penetration testing at least annually. All areas of the Vanta product and cloud infrastructure are in-scope for these assessments. A summary of the most recent penetration testing report is available upon request at trust.vanta.com.
  11. Bug Bounty Program
    Vanta engages a third party to manage a vulnerability disclosure program as well as a private bug bounty program. All valid issues identified are handled according to our vulnerability management program.
  12. Vulnerability Management
    Vanta maintains a vulnerability management program that includes regular network scanning and scanning at key stages of Vanta’s secure development lifecycle and remediation of vulnerabilities on a risk basis in accordance with internal SLAs.
  13. Backups
    Daily, weekly and monthly backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
  14. Sub-processors
    Vanta conducts reasonable diligence and security assessments of Sub-processors using a risk-based approach. Vanta enters into Data Processing Agreements with its Sub-processors with data protection obligations substantially similar to those contained in this DPA.
  15. Audits and certifications
    Vanta conducts regular third-party audits to ensure compliance with our privacy and security standards, including but not limited to annual SOC 2 Type II and ISO 27001 audits. Vanta’s SOC 2 Type 2 audit includes the Security, Availability, and Processing Integrity Trust Service Criteria. Vanta’s privacy controls as a Data Processor are certified to ISO 27701. AI Risk Management processes are certified to ISO 42001.
  16. Physical security
    Vanta has reasonable controls in place to ensure the physical locations that process, store, or transmit Customer Information are appropriately secured. Vanta’s hosting and cloud infrastructure is provided by AWS, housed in physical data centers managed by AWS. Additional information is available here: https://aws.amazon.com/compliance/data-center/controls/
  17. Logging and Monitoring
    Vanta monitors access to applications, tools, and resources that process or store Customer Information, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
  18. Change and configuration management
    Vanta adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
  19. Data Integrity and Management
    Vanta’s Customers unilaterally determine what Customer Information they route through the Services. As such, Vanta operates on a shared responsibility model.

    Vanta has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design using GraphQL and strong typing to enforce a strict contract between official clients and API resolvers. Vanta applies these measures across the board, both to ensure quality and that the Vanta Services are operating within expected parameters.
  20. Updates
    Vanta may update or modify this Addendum from time to time, provided that such updates and modifications do not materially reduce the overall security of the Service.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products