Priority security controls from Vanta

These are the most critical controls to ensure Chili Piper is protected from common attacks.

MFA on accounts

COMPLETE

Access to sensitive systems and applications requires two factor authentication in the form of user ID, password, OTP and/or certificate.

2 TESTS

MFA on GSuite: Inspected all GSuite users and determined that each account is configured with MFA.

MFA on version control tool: Inspected all users of the company's version control tool and determined that each account is configured with MFA.

Password manager

COMPLETE

These are the most critical factors that ensure Truework has security coverage over the most common vectors of attack.

2 TESTS

Password managers required: Inspected Chili Piper's security policies and determined that employees are required to use a password manager to set, store, and retrieve passwords for cloud services.

Password manager records: Inspected employee computers and determined that each was running a password manager and that employees knew to use it when setting, retrieving, and storing company passwords.

Daily database backups

COMPLETE

Backups are performed daily and retained in accordance with a pre-defined schedule in the Backup Policy.

2 TESTS

Company has a Backup Policy: Inspected the Backup Policy and determined it specified how often backups should be made and for how long they should be kept.

Daily database backups (GCP): Inspected the database configuration and determined that backups are made daily using the infrastructure provider's automated backup service.

SSL used

COMPLETE

The company ensures that all connections to its web application from its users are encrypted.

4 TESTS

SSL configuration has no known issues: Inspected the SSL configurations used to encrypt all data in transit and determined that there are no known issues.

SSL enforced on company website: Observed a user connecting to the company website and application and determined both are reachable exclusively over HTTPS. Further observed that if the user manually edits the URL to start with http://, s/he will be redirected to an https:// URL.

SSL certificate has not expired: Inspected the certificate used to encrypt all data in transit and determined it has not expired.

Strong SSL/TLS ciphers used: Inspected the SSL/TLS ciphers used to encrypt all data in transit and determined that they are all secure.

Unique accounts

COMPLETE

Access to corporate network, production machines, network devices, and support tools requires a unique ID.

5 TESTS

Employees have unique infrastructure accounts: Inspected the configuration for the company's infrastructure tool and confirmed that employees have unique accounts on service.

Employees have unique email accounts: Inspected the configuration for the company's email tool and confirmed that employees have unique accounts on the service.

Employees have unique version control accounts: Inspected the configuration for the company's version control tool and confirmed that employees have unique accounts on the service.

Employees have unique chat accounts: Inspected the configuration for the company's chat tool and confirmed that employees have unique accounts on the service.

Service accounts used (GCP): Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to services via IAM roles, rather than having individuals user or groups attached.

V 0.1

Vanta report

Vanta tested Chili Piper’s security and IT infrastructure to ensure the company has a strong security posture, as defined by industry-standard security standards.

In this report, Vanta:

  • Tests a complete set of security and infrastructure controls that may appear in a SOC 2 audit
  • Identifies gaps and vulnerabilities in infrastructure and processes

This document is updated continuously. As Chili Piper improves its security posture, those efforts will be instantly visible.

Intended use

This Vanta Report can be used by:

  • Chili Piper to identify issues critical for remediation
  • Chili Piper’s customers to understand the company’s security posture

Vanta Report approach: continuous monitoring

Vanta continuously monitors the company’s policies, procedures, and IT infrastructure to ensure the company adheres to industry-standard security, privacy, confidentiality, and availability standards.

To do this, Vanta connects directly to the company’s infrastructure accounts, version control tools, task trackers, endpoints, hosts, HR tools, and internal policies. Vanta then continuously monitors these resources to determine if Chili Piper meets the SOC 2 standard.

In compiling this report, Vanta took into account Chili Piper’s unique requirements and technical environment, including business model, products and services, and interactions with customer data.

V 1.0

Data and privacy

V 1.1

Customer data policies

2 CONTROLS

Customer data policies

COMPLETE

Company management has approved Chili Piper policies that detail how customer data may be made accessible and should be handled. These policies are accessible to all employees and contractors.

2 TESTS

Policies cover employee access to customer data: Inspected Chili Piper's security policies and determined they outline requirements for granting employees access to and removing employee access from customer data.

Policies cover employee confidentiality regarding customer data: Inspected Chili Piper's security policies and determined they require employees keep confidential any information they learn while handling customer data.

Least-privileged policy for customer data access

COMPLETE

The company authorizes access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege.

1 TEST

Least privileged policy for customer data access: Inspected Chili Piper's security policies and determined that they require that employees may only access the customer data they need in order to complete their jobs.

V 1.3

Internal admin tool

1 CONTROl

Require encryption of web-based admin access

COMPLETE

Encryption is used to protect user authentication and administrator sessions of the internal admin tool transmitted over the Internet.

1 TEST

SSL/TLS on admin page of infrastructure console (GCP): Inspected the admin page and log in of the company's Infrastructure as a Service provider and determined that all connections happen over SSL/TLS with a valid certificate from a reliable Certificate Authority.

V 2.0

Internal security procedures

V 2.1

Software development life cycle

1 CONTROl

Version control tool

COMPLETE

Chili Piper uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system administrator.

3 TESTS

Company has a version control system: Inspected the company's version control system and confirmed it is actively used.

Only authorized employees change code: Observed that approved employees can make changes to code on a branch to which he/she had approval.

Only authorized team member access version control: Inspected the users of the company's version control tool and confirmed that all accounts were authenticated to the company's account.

V 2.4

Responsible Disclosure Policy

2 CONTROlS

Disclosure process for customers

COMPLETE

Chili Piper provides a process to external users for reporting security, confidentiality, integrity and availability failures, incidents, concerns, and other complaints.

1 TEST

Contact information available to customers: Chili Piper has provided a URL to their customer accessible support documentation where support contact information is readily available. Further determined customers and/or associated users are encouraged to contact appropriate Company personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other complaints.

Employee disclosure process

COMPLETE

Chili Piper provides a process to employees for reporting security, confidentiality, integrity and availability failures, incidents, and concerns, and other complaints to company management.

1 TEST

Process for responsible disclosure by employees: Inspected Chili Piper's security policies and confirmed they detail a process for employees to report security, confidentiality, integrity and availability failures, incidents, and concerns.

V 2.5

Vulnerability management

2 CONTROlS

Annual penetration tests

COMPLETE

Chili Piper engages third-parties to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

1 TEST

Records of penetration testing: Inspected the report from the company's latest penetration test, which was performed in the last 12 months.

Network diagram

COMPLETE

Chili Piper maintains an accurate network diagram that is accessible to the engineering team and is reviewed by management on an annual basis.

1 TEST

Network diagram: Inspected the diagram of Chili Piper's in-scope network and determined it accurately reflected the company's in-scope network.

V 2.6

Security issues

2 CONTROlS

Security issues prioritized

COMPLETE

Security deficiencies tracked through internal tools are prioritized according to their severity by an independent technical resource.

1 TEST

Security issues are prioritized: Inspected the team's task tracker and confirmed security issues are tagged and prioritized accordingly.

SLA for security bugs

COMPLETE

Security deficiencies tracked through internal tools are closed within an SLA that management has pre-specified.

1 TEST

SLA for security bugs: Inspected Chili Piper's procedure settings in Vanta and determined that an SLA for P0 security bugs was set.

V 2.7

Incident Response Plan

4 CONTROlS

Follow-ups tracked

COMPLETE

Chili Piper has implemented an incident response policy that includes creating, prioritizing, assigning, and tracking follow-ups to completion.

1 TEST

Policies for tracking follow-ups to important security items: Inspected the Incident Response Plan and determined that it included a section about tracking follow-ups after incidents.

Incident Response plan

COMPLETE

Chili Piper has an established incident response policy that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents.

1 TEST

Company has an Incident Response Plan: Inspected the Incident Response Plan and determined that it outlines formal procedure for responding to security events.

Incident Response team

COMPLETE

Chili Piper has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity and confidentiality at Chili Piper.

1 TEST

Company Incident Response Plan cites responsible team members: Inspected the Incident Response Plan and determined that it names the individuals responsible for monitoring for and responding to incidents.

Lessons learned

COMPLETE

Chili Piper has implemented an incident response policy that includes writing "lessons learned" documents after incidents and sharing them with the broader engineering team.

1 TEST

Incident Response Policy includes Lessons Learned: Inspected the Incident Response Plan and determined that it included a section about writing lessons learned documents after incidents.

V 3.0

Organizational security

V 3.1

Security policies

3 CONTROLS

Change management policy

COMPLETE

Chili Piper has developed policies and procedures governing the system development lifecycle, including documented policies for tracking, testing, approving, and validating changes are documented.

1 TEST

Company has a Change Management Policy: Inspected the Change Management Policy and determined that it outlines considerations for planning, design, security, availability, implementation, and maintenance of changes.

Security policies

COMPLETE

Management has approved Chili Piper security policies, and all employees agree to these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.

2 TESTS

Company has security policies: Inspected Chili Piper's security policies and determined they outline requirements for securing the company's operations, services, and systems.

Security policies accepted: Inspected records of Chili Piper's security policies and determined that all employees have agreed to them.

Security policies reviewed

COMPLETE

Security policies are reviewed at least annually. Policies, procedures and guidelines are created/updated as needed.

1 TEST

Security policies reviewed: Inspected Chili Piper's security policies and determined they were reviewed and approved by management.

V 3.2

Security program

3 CONTROlS

Security team

COMPLETE

Chili Piper has an assigned security team that is responsible for the design, implementation, management, and review of the organization’s security policies, standards, baselines, procedures, and guidelines.

1 TEST

Policies for a security team: Inspected Chili Piper's security policies and determined they identify individuals responsible for the security of the company’s operations, services, and systems.

Security team has communication channel to the CEO

COMPLETE

The security team communicates important information security events to company management in a timely manner.

1 TEST

Security team has a line of communication to the CEO: Inspected Chili Piper's security policies and determined that the security team has a direct communication channel to the CEO.

Security training

COMPLETE

Chili Piper has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with the Company’s security policies and procedures, including the identification and reporting of incidents. All full-time employees are required to complete these trainings annually.

2 TESTS

Policies for security awareness training: Inspected Chili Piper's security policies and determined that the security team is responsible for training all employees on security at the company.

Security awareness training selected: Inspected the security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company’s and its customers' data.

V 3.3

Personnel Security

6 CONTROlS

Acceptable Use Policy

COMPLETE

Chili Piper has policies and procedures in place to establish acceptable use of information assets approved by management, posted on the company wiki, and accessible to all employees. All employees must agree to the Acceptable Use Policy on hire.

2 TESTS

Company has an Acceptable Use Policy: Inspected company records and determined a policy that establishes the acceptable use of information assets is in place, has been approved by management, and is accessible to employees.

Employees agree to Acceptable Use Policy: Inspected Chili Piper records and determined that all employees had agreed to the company's Acceptable Use Policy.

Annual performance evaluations

COMPLETE

The company evaluates the performance of all employees through a formal, annual performance evaluation.

1 TEST

Performance evaluation process: Inspected records of the company's process for formal performance evaluations and and determined they describe a formal process to evaluate employee competency.

Code of Conduct

COMPLETE

Chili Piper has established a code of conduct and requires all employees to agree to it on hire. Management monitors employees' acceptance of the code.

2 TESTS

Company has a Code of Conduct: Inspected the policy that documents the company's Code of Conduct to determine that it was in place and provides guidance on workforce conduct standards.

Employees agree to Code of Conduct: Inspected Chili Piper records and determined that all employees had agreed to the company's Code of Conduct on hire.

Data protection policy

COMPLETE

Chili Piper has established a Data Protection Policy and requires all employees to agree to it on hire. Management monitors employees' acceptance of the policy.

1 TEST

Company has a Data Protection Policy: Inspected the company's Data Protection Policy to determine that it was in place.

Formal recruiting process

COMPLETE

New hires or internal transfers are required to go through an official recruiting process during which their qualifications and experience are screened to ensure that they are competent to fulfill their responsibilities.

1 TEST

New hire contract: Inspected a sample new hire contract from Chili Piper.

Job descriptions

COMPLETE

All positions have a detailed job description that lists qualifications, such as requisite skills and experience, which candidates must meet in order to be hired by Chili Piper.

2 TESTS

Job descriptions: Chili Piper has provided a URL to their external jobs page.

Engineering job description: Inspected a sample engineering job description from Chili Piper.

V 3.5

Endpoints (laptops)

3 CONTROlS

Login password

COMPLETE

Company management ensures that all company-issued laptops use a screensaver lock with a timeout of no more than 60 seconds.

1 TEST

Screensaver lock required on employee computers: Inspected Chili Piper's security policies and determined that employee computers must have a login password that activates after the machine had been idle for five minutes or less.

Password manager

COMPLETE

Company management ensures that a password manager is installed on all company-issued laptops.

2 TESTS

Password managers required: Inspected Chili Piper's security policies and determined that employees are required to use a password manager to set, store, and retrieve passwords for cloud services.

Password manager records: Inspected employee computers and determined that each was running a password manager and that employees knew to use it when setting, retrieving, and storing company passwords.

Personal firewalls

COMPLETE

Company management ensures that company-issued laptops have a personal firewall.

1 TEST

Personal firewalls required: Inspected Chili Piper's security policies and determined that the company required employees to run personal firewall software on any company-owned computer that connects to to the public internet.

V 4.0

Product security

V 4.2

Data encryption

3 CONTROLS

Cryptography policies

COMPLETE

Chili Piper has established policies and procedures that govern the use of cryptographic controls.

1 TEST

Company has a Cryptography Policy: Inspected Chili Piper's cryptography policies and confirmed they list resources that employees may access to ensure they understand the procedures and their responsibilities.

Customer data encrypted at rest

COMPLETE

Customer data stored in databases is encrypted at rest.

2 TESTS

Customer data is encrypted at rest (GCP): Inspected the configuration of the SQL database(s) storing customer data and determined that data is encrypted at rest.

Customer data in Google Cloud Storage is encrypted at rest (GCP): Inspected the configuration of the Google Cloud Storage bucket(s) storing customer data and determined it is (they are) encrypted at rest.

SSL used

COMPLETE

The company ensures that all connections to its web application from its users are encrypted.

4 TESTS

SSL configuration has no known issues: Inspected the SSL configurations used to encrypt all data in transit and determined that there are no known issues.

SSL enforced on company website: Observed a user connecting to the company website and application and determined both are reachable exclusively over HTTPS. Further observed that if the user manually edits the URL to start with http://, s/he will be redirected to an https:// URL.

SSL certificate has not expired: Inspected the certificate used to encrypt all data in transit and determined it has not expired.

Strong SSL/TLS ciphers used: Inspected the SSL/TLS ciphers used to encrypt all data in transit and determined that they are all secure.

V 4.3

Customer communication

3 CONTROlS

Company commitments explained to customers

COMPLETE

Security commitments are communicated to external users, as appropriate.

1 TEST

MSAs offered to customers: Chili Piper's security commitments are included in the Master Service Agreement (MSA), available to authorized customers.

Company has a Privacy Policy

COMPLETE

Chili Piper maintains a Privacy Policy that is available to all external users and internal employees, and it details the company's confidentiality and privacy commitments.

1 TEST

Privacy policy publicly available: Chili Piper has provided a URL to their public Privacy Policy.

Company has a Terms of Service

COMPLETE

Chili Piper maintains a Terms of Service that is available to all external users and internal employees, and the terms detail the company's security and availability commitments regarding the systems. Where the Terms of Service may not apply, the company has Client Agreements or Master Service Agreements in place.

1 TEST

Terms of service publicly available: Chili Piper has provided a URL to their public Terms of Service.

V 5.0

Infrastructure security

V 5.1

Authentication and authorization

6 CONTROlS

MFA on accounts

COMPLETE

Access to sensitive systems and applications requires two factor authentication in the form of user ID, password, OTP and/or certificate.

2 TESTS

MFA on GSuite: Inspected all GSuite users and determined that each account is configured with MFA.

MFA on version control tool: Inspected all users of the company's version control tool and determined that each account is configured with MFA.

Password policy

COMPLETE

Chili Piper has established formal guidelines for passwords to govern the management and use of authentication mechanisms.

1 TEST

Internal password policy for employee accounts: Inspected the company's internal policy that governs the passwords employees set across services.

System access granted

COMPLETE

Access to infrastructure and code review tools is granted to new employees within one week of their start date.

2 TESTS

Infrastructure accounts allocated within one week of request: Inspected logs from Chili Piper's task tracker and determined employee access to infrastructure is granted within one week of the initial request.

GitHub accounts allocated within one week of request: Inspected logs from Chili Piper's task tracker and determined employee access to the version control tool is granted within one week of the initial request.

Terminated employee access revoked within one business day

COMPLETE

Access to infrastructure and code review tools is removed from terminated employees within one business day.

1 TEST

Version control accounts removed when employees leave: Inspected company records and determined that terminated employees' accounts were removed from the version control tool within the specified SLA of the employee becoming unauthorized.

Unique accounts

COMPLETE

Access to corporate network, production machines, network devices, and support tools requires a unique ID.

5 TESTS

Employees have unique infrastructure accounts: Inspected the configuration for the company's infrastructure tool and confirmed that employees have unique accounts on service.

Employees have unique email accounts: Inspected the configuration for the company's email tool and confirmed that employees have unique accounts on the service.

Employees have unique version control accounts: Inspected the configuration for the company's version control tool and confirmed that employees have unique accounts on the service.

Employees have unique chat accounts: Inspected the configuration for the company's chat tool and confirmed that employees have unique accounts on the service.

Service accounts used (GCP): Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to services via IAM roles, rather than having individuals user or groups attached.

Unique SSH

COMPLETE

SSH users use unique accounts to access to production machines. Furthermore, the use of the `root` account is not used.

1 TEST

Employees have unique SSH keys: Inspected the configuration of Chili Piper laptops and determined the company has an established key management process in place to support the organization’s use of unique SSH accounts.

V 5.2

Availability

1 CONTROL

Customers informed of changes

COMPLETE

System changes that may affect security, availability, processing integrity, or confidentiality are communicated to customers and users who will be affected.

1 TEST

Company informs customers of changes that may affect availability and security of the system: Chili Piper has provided a URL to their blog, status page, emails, newsletters, and/or support page that describes changes that may affect external user responsibilities.

V 5.3

Backups

2 CONTROlS

Daily database backups

COMPLETE

Backups are performed daily and retained in accordance with a pre-defined schedule in the Backup Policy.

2 TESTS

Company has a Backup Policy: Inspected the Backup Policy and determined it specified how often backups should be made and for how long they should be kept.

Daily database backups (GCP): Inspected the database configuration and determined that backups are made daily using the infrastructure provider's automated backup service.

Storage buckets are versioned

COMPLETE

Storage buckets that contain customer data are versioned.

1 TEST

Storage data versioned or retained (GCP): Inspected the storage bucket configuration and determined that all buckets containing customer data have a versioning configuration or retention policy set.

V 5.4

Logging

2 CONTROlS

Logs centrally stored

COMPLETE

The company uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.

2 TESTS

Logs are centrally stored (GCP): Inspected the configuration of the system that collects and stores server logs and confirmed that it deposits logs in a central location.

Only authorized users can access log sinks (GCP): Inspected the configuration of the system that collects and stores server logs and confirmed that it only accepts connections from authorized users.

Logs retained for 12 months

COMPLETE

Logging software retains log entries for at least 12 months.

1 TEST

Logs retained for 365 days (GCP): Inspected the configuration of the log aggregation tool and determined that long-term storage sinks have been configured for server logs.

V 5.5

Monitoring

4 CONTROlS

Databases monitored and alarmed

COMPLETE

Management has implemented tools to monitor Chili Piper SQL databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

3 TESTS

SQL database CPU monitored (GCP): Inspected the database monitoring configuration and determined that server CPU use is monitored, with alerts to appropriate personnel at certain thresholds.

SQL database free storage space monitored (GCP): Inspected the database monitoring configuration and determined that free storage space is monitored, with alerts to appropriate personnel at certain thresholds.

SQL database I/O monitored (GCP): Inspected the database monitoring configuration and determined that I/O is monitored, with alerts to appropriate personnel at certain thresholds.

Message queues monitored and alarmed

COMPLETE

Management has implemented tools to monitor Chili Piper messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

1 TEST

Messaging queue message age monitored (GCP): Inspected the messaging queue monitoring configuration and determined that message age is monitored, with alerts to appropriate personnel at certain thresholds.

NoSQL database monitored and alarmed

COMPLETE

Management has implemented tools to monitor Chili Piper NoSQL databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

2 TESTS

Bigtable cluster CPU load monitored (GCP): Inspected the Bigtable cluster monitoring configuration and determined that CPU load is monitored, with alerts to appropriate personnel at certain thresholds.

Bigtable cluster storage utilization monitored (GCP): Inspected the Bigtable cluster monitoring configuration and determined that storage utilization is monitored, with alerts to appropriate personnel at certain thresholds.

Servers monitored and alarmed

COMPLETE

Management has implemented tools to monitor Chili Piper servers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

1 TEST

GCP instance CPU monitored (GCP): Inspected the server monitoring configuration and determined that server CPU use is monitored, with alerts to appropriate personnel at certain thresholds.

V 5.6

Network

2 CONTROlS

Firewalls

COMPLETE

Management uses configurations that ensure only approved networking ports and protocols are implemented, including firewalls.

2 TESTS

Firewall default disallows traffic (GCP): Inspected the firewall configuration files for each perimeter device type and determined that they were configured to deny all traffic that is not explicitly allowed.

Firewall default disallows traffic (GCP): Inspected the firewall configuration files for each perimeter device type and determined that they were configured to deny all traffic that is not explicitly allowed.

VPN required for production access

COMPLETE

Users can only access the production system remotely through the use of encrypted communication systems.

1 TEST

Corporate resources protected by VPN: Inspected deployment configuration files and determined that corporate resources are protected with a VPN or other strong network-protection mechanism.

V 5.7

Protecting secrets

1 CONTROL

Credential keys managed

COMPLETE

Chili Piper has an established key management process in place to support the organization’s use of cryptographic techniques.

1 TEST

Security policies cover encryption: Inspected the Chili Piper's security policies and determined they explain the procedures for encrypting sensitive data.

V 6.0

Physical security

V 6.1

Data center security

1 CONTROL

Physical security

COMPLETE

Chili Piper has security policies that have been approved by management and detail how physical security for the company's headquarters is maintained. These policies are accessible to all employees and contractors.

1 TEST

Company has a Physical Security Policy: Inspected Chili Piper's physical security policy and determined that it outlines policies for access to the company's physical office.

Appendix A: Definitions

Bug bounty program: A crowdsourcing initiative that rewards individuals for discovering and reporting software bugs, especially those that could cause security vulnerabilities or breaches.

DDoS: Distributed denial of service. A DDoS attack is attack in which multiple compromised computer systems flood a target—such as a server, website, or other network resource—with messages or requests to cause a denial of service for users of the targeted resource.

Multifactor authentication (MFA): A security system that requires multiple methods of authentication using different types of credentials to verify users’ identities before they can access a service.

Penetration test: The practice of testing a computer system, network, or web application to find vulnerabilities that an attacker might exploit.

Principle of least privilege: The principle of giving a user or account only the privileges that are required to perform a job or necessary function.

Protected data: Data that is protected from public view or use; includes personally identifiable information, sensitive data, HIPAA data, or financial data.

Sensitive data: Any information a reasonable person considers private or would choose not to share with the public.

SSH: Secure shell. A cryptographic network protocol for operating network services securely over an unsecured network.

SSL: Secure sockets layer. The standard security technology for establishing an encrypted link between a web server and a browser.

Appendix B: Document history

Vanta continuously monitors the company’s security and IT infrastructure to ensure the company complies with industry-standard security standards. Vanta tests the company’s security posture continuously, and this report is automatically updated to reflect the latest findings.

About Vanta

Vanta provides a set of security and compliance tools that scan, verify, and secure a company’s IT systems and processes. Our cloud-based technology identifies security flaws and privacy gaps in a company’s security posture, providing a comprehensive view across cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts.

Vanta is based in San Francisco, California and was founded by engineers from Apple and Dropbox.