Trust is verifiable.
This page summarises the security and compliance controls that underpin the platform and the certifications we are working towards. Technical controls are configurable within the product, and certification status is shown below.
Compliance and certifications
What is active, in progress or planned.
The audit window and auditor have not yet been determined.
ISMS preparation is being planned.
A DPA under Art. 28 is available, and records of processing activities under Art. 30 are maintained internally.
Relevant to public administration in Germany.
Outside the current industry focus; a project-specific assessment is available on request.
We do not process protected health information; U.S. healthcare is not our current market focus.
Audit reports such as SOC 2 Type II are provided under NDA to qualified buyers. Request them at security@vand.ai.
Technical controls
Controls implemented directly in the product.
TLS 1.3 protects incoming connections. PostgreSQL and object storage are encrypted at rest with hosting-provider-managed keys. MCP OAuth tokens and two-factor secrets are additionally encrypted at the application layer.
OIDC sign-in supports configurable user review or automatic provisioning, a domain allowlist and a default role per organisation.
Configure →TOTP is available per user and can be enforced for an organisation. Recovery codes can be generated, and sessions record two-factor verification.
Enable →Security-relevant actions are logged with actor, IP address, user agent and metadata. Exports are available as CSV or JSONL for SIEM ingestion.
Open audit log →Conversations and generated assets are deleted automatically after a configurable period. Pinned, restricted or legally held data follows its applicable exception policy.
Manage policies →Administrators can place individual conversations on hold, excluding them from retention sweeps and user deletion until the hold expires.
Configured personal identifiers can be redacted before content is sent to global providers while the original remains in the protected workspace context.
Review filters →Administrators can restrict capabilities such as chat, image generation and embeddings to Local, EU or Global processing. The server checks policy on every model request.
Manage model policies →GDPR rights as self-service
Access, erasure and portability without a support ticket where available.
Users can request or download a record of their personal data across their workspaces without requiring approval from a workspace owner.
My data export →Owners can schedule workspace deletion with a seven-day grace period. On request, personal data is deleted without delay unless statutory retention obligations apply.
Manage workspace data →Owners can export workspace data, including conversations, members, generated assets and audit information, in a versioned machine-readable format.
Export workspace →Sub-processors and data location
Processor information for Local, EU and Global data boundaries.
The dedicated DPA disclosure documents all sub-processors and the data boundary in which each may be used.
DPA and sub-processor list →Incident response and availability
How incidents are reported and service levels are defined.
Personal-data breaches are reported to the competent supervisory authority without undue delay and, where required by Art. 33 GDPR, within 72 hours. Affected workspaces are informed when legally required.
Service levels depend on the selected plan and contract. Historical availability can be provided on request.
Responsible disclosure
Confidential reporting of security vulnerabilities.
Report security vulnerabilities confidentially to security@vand.ai. A PGP key is available on request. We acknowledge receipt within two business days and prioritise exploitable findings.