Trust and security · Last reviewed May 10, 2026

Trust is verifiable.

This page summarises the security and compliance controls that underpin the platform and the certifications we are working towards. Technical controls are configurable within the product, and certification status is shown below.

Compliance and certifications

What is active, in progress or planned.

SOC 2 Type IIPlanned
AICPA TSC 2017

The audit window and auditor have not yet been determined.

ISO/IEC 27001:2022Planned
ISO/IEC 27001

ISMS preparation is being planned.

GDPRActive
EU Regulation 2016/679

A DPA under Art. 28 is available, and records of processing activities under Art. 30 are maintained internally.

BSI C5 Type 2Planned
BSI Cloud Computing Compliance Criteria Catalogue

Relevant to public administration in Germany.

TISAXNot in scope
VDA ISA

Outside the current industry focus; a project-specific assessment is available on request.

HIPAA BAANot in scope
U.S. HIPAA Security and Privacy Rules

We do not process protected health information; U.S. healthcare is not our current market focus.

Audit reports such as SOC 2 Type II are provided under NDA to qualified buyers. Request them at security@vand.ai.

Technical controls

Controls implemented directly in the product.

Encryption in transit and at rest

TLS 1.3 protects incoming connections. PostgreSQL and object storage are encrypted at rest with hosting-provider-managed keys. MCP OAuth tokens and two-factor secrets are additionally encrypted at the application layer.

Single sign-on with OIDC and Microsoft Entra

OIDC sign-in supports configurable user review or automatic provisioning, a domain allowlist and a default role per organisation.

Configure
TOTP two-factor authentication

TOTP is available per user and can be enforced for an organisation. Recovery codes can be generated, and sessions record two-factor verification.

Enable
Audit log and SIEM export

Security-relevant actions are logged with actor, IP address, user agent and metadata. Exports are available as CSV or JSONL for SIEM ingestion.

Open audit log
Retention policies per workspace

Conversations and generated assets are deleted automatically after a configurable period. Pinned, restricted or legally held data follows its applicable exception policy.

Manage policies
Legal hold

Administrators can place individual conversations on hold, excluding them from retention sweeps and user deletion until the hold expires.

PII filter for global models

Configured personal identifiers can be redacted before content is sent to global providers while the original remains in the protected workspace context.

Review filters
Capability-based data boundaries

Administrators can restrict capabilities such as chat, image generation and embeddings to Local, EU or Global processing. The server checks policy on every model request.

Manage model policies

GDPR rights as self-service

Access, erasure and portability without a support ticket where available.

Right of accessGDPR Art. 15

Users can request or download a record of their personal data across their workspaces without requiring approval from a workspace owner.

My data export
Right to erasureGDPR Art. 17

Owners can schedule workspace deletion with a seven-day grace period. On request, personal data is deleted without delay unless statutory retention obligations apply.

Manage workspace data
Data portabilityGDPR Art. 20

Owners can export workspace data, including conversations, members, generated assets and audit information, in a versioned machine-readable format.

Export workspace

Sub-processors and data location

Processor information for Local, EU and Global data boundaries.

The dedicated DPA disclosure documents all sub-processors and the data boundary in which each may be used.

DPA and sub-processor list

Incident response and availability

How incidents are reported and service levels are defined.

Security incidents

Personal-data breaches are reported to the competent supervisory authority without undue delay and, where required by Art. 33 GDPR, within 72 hours. Affected workspaces are informed when legally required.

Service levels

Service levels depend on the selected plan and contract. Historical availability can be provided on request.

Responsible disclosure

Confidential reporting of security vulnerabilities.

Security contact

Report security vulnerabilities confidentially to security@vand.ai. A PGP key is available on request. We acknowledge receipt within two business days and prioritise exploitable findings.