> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vendexlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security overview

> How VendexLabs protects your vendor risk data.

VendexLabs handles vendor risk data for our customers, which means our own security posture has to hold up to the same scrutiny we help our customers apply to their vendors. This page describes how we protect your data today.

<Info>
  **Last updated: June 20, 2026.** Security is a living program. If your procurement process needs details beyond what's here, contact [security@vendexlabs.com](mailto:security@vendexlabs.com).
</Info>

## Infrastructure security

VendexLabs is hosted on Amazon Web Services (AWS) with multi-region redundancy and strict network isolation between environments. Enterprise assessments can be locked behind approved source IP ranges, so only trusted corporate networks can reach sensitive review workflows.

## Data encryption

All data is encrypted at rest using **AES-256** and in transit using **TLS 1.2 or higher**. There is no path to customer data that skips encryption in transit.

## Access controls

Authentication runs through **Amazon Cognito**, with **Google** and **Microsoft (Entra ID)** available as single sign-on providers and enterprise SSO available by request (see [Sign in & SSO](/account/sign-in-and-sso)). Within a customer organization, access is governed by role-based access control (see [Organizations & members](/account/organizations-and-members)). Employee access to production systems requires **multi-factor authentication** and follows the principle of **least privilege**: access is scoped to what a role actually needs, and reviewed as roles change.

## Application security

We follow secure development practices, use automated code analysis, and gate releases through a controlled deployment workflow rather than pushing directly to production.

## Compliance & assessments

VendexLabs completes the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ) as a **CSA STAR Level 1 self-assessment** — a structured self-review against the CSA's Cloud Controls Matrix.

<Warning>
  This is a **self-assessment**, not a third-party audit — no external auditor is involved and no certification is issued. It gives prospective customers a consistent, comparable view of our security controls. Our completed CAIQ is available upon request.
</Warning>

We do **not** currently hold SOC 2, ISO 27001, or other third-party-audited certifications. If your procurement process requires one, contact [security@vendexlabs.com](mailto:security@vendexlabs.com) to discuss our roadmap and timelines. See [Compliance & certifications](/trust/compliance) for more.

## Incident response

We maintain a designated incident response process: security-relevant events are triaged, contained, and investigated by our team. If we confirm an incident affecting customer data, we notify affected customers without undue delay, consistent with our contractual and legal obligations.

## Reporting a vulnerability

If you believe you've found a security vulnerability in VendexLabs, please report it to [security@vendexlabs.com](mailto:security@vendexlabs.com). See [Vulnerability disclosure](/trust/vulnerability-disclosure) for guidelines.

<CardGroup cols={2}>
  <Card title="Privacy" icon="lock" href="/trust/privacy">
    What we collect, why, and the choices you have.
  </Card>

  <Card title="Compliance & certifications" icon="clipboard-check" href="/trust/compliance">
    Where we stand on frameworks and audits.
  </Card>
</CardGroup>
