Skip to main content
VendexLabs handles vendor risk data for our customers, which means our own security posture has to hold up to the same scrutiny we help our customers apply to their vendors. This page describes how we protect your data today.
Last updated: June 20, 2026. Security is a living program. If your procurement process needs details beyond what’s here, contact security@vendexlabs.com.

Infrastructure security

VendexLabs is hosted on Amazon Web Services (AWS) with multi-region redundancy and strict network isolation between environments. Enterprise assessments can be locked behind approved source IP ranges, so only trusted corporate networks can reach sensitive review workflows.

Data encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. There is no path to customer data that skips encryption in transit.

Access controls

Authentication runs through Amazon Cognito, with Google and Microsoft (Entra ID) available as single sign-on providers and enterprise SSO available by request (see Sign in & SSO). Within a customer organization, access is governed by role-based access control (see Organizations & members). Employee access to production systems requires multi-factor authentication and follows the principle of least privilege: access is scoped to what a role actually needs, and reviewed as roles change.

Application security

We follow secure development practices, use automated code analysis, and gate releases through a controlled deployment workflow rather than pushing directly to production.

Compliance & assessments

VendexLabs completes the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ) as a CSA STAR Level 1 self-assessment — a structured self-review against the CSA’s Cloud Controls Matrix.
This is a self-assessment, not a third-party audit — no external auditor is involved and no certification is issued. It gives prospective customers a consistent, comparable view of our security controls. Our completed CAIQ is available upon request.
We do not currently hold SOC 2, ISO 27001, or other third-party-audited certifications. If your procurement process requires one, contact security@vendexlabs.com to discuss our roadmap and timelines. See Compliance & certifications for more.

Incident response

We maintain a designated incident response process: security-relevant events are triaged, contained, and investigated by our team. If we confirm an incident affecting customer data, we notify affected customers without undue delay, consistent with our contractual and legal obligations.

Reporting a vulnerability

If you believe you’ve found a security vulnerability in VendexLabs, please report it to security@vendexlabs.com. See Vulnerability disclosure for guidelines.

Privacy

What we collect, why, and the choices you have.

Compliance & certifications

Where we stand on frameworks and audits.