Vanta Master Subscription Agreement FAQ

Thank you for reviewing the Vanta Master Subscription Agreement ("MSA"). We value your time and hope that by offering you additional information on the scope of Vanta services and how they work, we can proactively address questions and concerns you may have. Please note that this FAQ is for informational purposes only and does not constitute legal advice or form part of the MSA.
‍

1. What are you purchasing?

Your company is purchasing a subscription to Vanta’s trust management platform, which is a cloud-hosted SaaS application that supports the management and administration of your Governance, Risk and Compliance (GRC) programs (defined in the MSA as the “Services”). A more detailed description of the Services can be found here. All Vanta subscriptions also include access to remote technical support offered pursuant to our Support Policy (as linked in our MSA). 

Vanta currently does not offer any professional services and no such services are included in your purchase. If you are interested in professional services, you may purchase them separately from one of our third-party partners, but it is not part of your Vanta subscription.

‍

2. What data is collected by the Services?

You control what data is ingested into and processed by the Vanta Services (defined in the MSA as “Customer Information”) based on your use of the Service features and integrations. Whether the Customer Information provided includes any personal or confidential data depends entirely on the configurations set by your internal team. The Services integrates with your cloud providers to check metadata related to the system settings of those cloud providers. As such, Vanta does not have or request access to the underlying data stored in the third-party tools and products you integrate with the Services (e.g., data in databases or storage buckets).

Customers who choose to integrate third-party services into the Services may also share certain credentials like API keys for those services. Virtually all integrations to the Services grant read-only access, with the exception of certain task tracker integrations which you can configure to allow Vanta to create tickets.

Additionally, the Services collect analytic usage data such as log data and metadata about how you interact with the platform (defined in the MSA as “Usage Data”) that we use to improve, support and promote the Services. This data is separate and distinct from Customer Information. Usage Data is inherent to the functionality of the Services and therefore cannot be turned off on a customer-by-customer basis.
‍

3. What type of personal data is collected by the Services? Can I sign a Data Processing Addendum (“DPA”)?

Vanta’s platform is designed to access specific, limited categories of personal data. Because the Services do not access the data underlying the integrations you make to the platform, Vanta does not access any data of your end customers or end users in your systems or third-party tools through these integrations. 

If your use of the Service features and integrations involves the ingesting of personal data, the categories of personal data Vanta may process include name, email address, job title, username, device identifiers (e.g. serial number), IP addresses, installed applications for company device, background check verification records (i.e., whether an employee completed and/or passed a required background check), security training records (i.e., whether an employee or contractor completed required security trainings) of your employees, contractors, and other authorized users.

‍
Vanta’s DPA is incorporated by reference into the MSA. If you would like to have a signed version of  the DPA, Vanta makes a self-service DPA available for you to sign here. Upon signature of the self-service version, both parties will receive a copy of a static, fully executed DPA. Please reach out to your Vanta AE to inquire about changes to the DPA.
‍

4. Will use of the Services involve the processing of sensitive personal data, Personal Health Information (PHI), PCI data or other personal financial information? Do the parties need a Business Associate Agreement (BAA)?

‍No. Vanta does not require access to any sensitive personally identifiable information, including PHI, and such data is not permitted to be uploaded to the platform. Nor does Vanta require access to any social security numbers, credit card numbers, or other cardholder data.

Because Vanta is not processing any PHI, a BAA is not required and Vanta does not sign them with customers.

‍

5. Is my data ever shared with third parties?

Vanta only uses Customer Information to provide the services to you and thus only shares your Customer Information (and any personal data therein) with service providers as necessary to provide the services. The relevant service providers with whom Vanta shares Customer Information are Vanta’s sub-processors who support the delivery of the services, as listed in our Trust Center.  

Vanta may share Usage Data with third parties but will never do so in a way that identifies you or your users. Any sharing of or public reference to Usage Data (e.g., marketing claims such as “Vanta ran over 1 billion tests last year” or “Vanta has over 12,000 customers”) will always be anonymous and/or aggregated and anonymous. More information on Usage Data can be found in our Privacy Policy.
‍

6. How is my data protected?

Security of our Services and Customer Information is a top priority for Vanta. We implement and maintain industry standard administrative, physical and technical safeguards to protect Customer Information. A description of our security controls and certifications (including our SOC 2 Type II report and ISO 27001 certification) are maintained on Vanta’s Trust Center and further referenced in Vanta’s Information Security Addendum embedded in the MSA.
‍

7. Do Vanta’s services include Artificial Intelligence? Does Vanta train any Artificial Intelligence models using my data?

Vanta does offer features that leverage the use of artificial intelligence, machine learning, or similar technologies. These features are on by default but can be turned off for your entire Vanta instance by any administrator-level user.

‍Vanta does not, and does not permit any third party, to use any of your Customer Information to train any AI models.

Our Artificial Intelligence terms can be found in Section 4.6 of the MSA and our AI Principles can be found here. Vanta maintains an ISO 42001 certification, which is the international standard for AI management and governance.
‍

8. Does Vanta delete my data? Can Vanta return my data to me at the end of my subscription?

Our standard operational practice is to delete Customer Information within 365 days after a customer's subscription ends, or sooner upon your request. 

Unfortunately, Vanta cannot guarantee that your Customer Information will be accessible after the end of your subscription, however our Services give you the ability to export your data at any time during your subscription term.

‍

9. Does Vanta offer the right to terminate my subscription for convenience?

No, Vanta does not offer customers the right to terminate a subscription for convenience. Our subscriptions are structured and priced as single- or multi-year terms to which both parties must remain committed during the specified service period.

‍

10. Does Vanta offer indemnification?

Yes, Vanta provides all customers with an indemnity against claims alleging that our Services infringe on a third party’s intellectual property rights. As is standard market practice for SaaS providers, Vanta does not offer indemnities beyond those covering third party IP infringement claims.
‍

11. Does Vanta offer unlimited liability for breach of confidentiality or data breaches?

No, like other Saas providers, Vanta does not offer unlimited liability for breach of confidentiality or data breaches. Vanta has been extremely careful to design our product in a way that doesn't access sensitive personal information or any data belonging to your customers in your systems or third-party cloud tools.

‍

12. Does Vanta permit its customers to conduct audits?

No, given the size of our customer base we are not able to accommodate individual audits by each customer. However, Vanta publicly and continuously demonstrates our security and compliance on a live basis via its Trust Center at http://trust.vanta.com and gives you access to our independent third party audit reports and certifications. Through our Trust Center you have access to our SOC 2 Type 2 report, ISO27001 certification, Penetration Test Summaries, Code of Conduct and other materials demonstrating our security and compliance.

‍

13. Does Vanta offer an SLA?

Yes, Vanta has a service level agreement embedded in our MSA. The success of Vanta’s platform delivery model is predicated on the efficiency of our one-to-many infrastructure. Because our Services are the same across our entire customer base, the applicable SLA cannot be modified on a customer-by-customer basis. 

‍

14. Does Vanta offer price protection for renewals?

If you want to lock in current pricing, we offer multi-year terms where pricing is fixed for your entire subscription term. Additionally, by default all Vanta order forms include terms giving you a level of pricing predictability for renewals of your existing products. 

‍

15. My organization is based in the EU. Do your terms cover any EU-specific regulations that apply to the purchase of SaaS products?

Yes, our DPA incorporates addenda covering rights and obligations imposed by the EU Data Act and, for EU financial institutions, the Digital Operational Resilience Act (DORA).Such addenda, combined with the existing rights and obligations set forth in the MSA and the DPA sufficiently address such regulations to the extent applicable to you and the Services.

‍

‍