Get Early Access

Your vendor data deserves enterprise-grade protection

At VendorLog, security isn't an afterthought—it's foundational. We understand that you're trusting us with sensitive information about your vendor relationships, contracts, and business operations. We take that trust seriously.

Our Security Principles

Defense in Depth
We implement multiple layers of security controls. If one layer is compromised, others remain to protect your data.

Least Privilege
Access to systems and data is restricted to only what's necessary. Our team members can only access what they need to do their jobs.

Transparency
We believe you should know how we protect your data. This page explains our security practices in plain language.

Data Encryption

In Transit

All data transmitted between your browser and VendorLog is encrypted using TLS 1.3, the latest and most secure transport layer protocol. This includes:

  • All web traffic to and from the application
  • API communications
  • Webhook deliveries
  • Email notifications

We enforce HTTPS everywhere—there's no way to access VendorLog over an unencrypted connection.

At Rest

All data stored in our databases and file systems is encrypted using AES-256, the same encryption standard used by banks and government agencies:

  • Database records
  • File attachments
  • Backups
  • Logs containing sensitive information

Encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation.

Infrastructure Security

Cloud Hosting

VendorLog is hosted on Amazon Web Services (AWS), which provides:

  • SOC 1, SOC 2, and SOC 3 certified data centers
  • ISO 27001 certification
  • Physical security including biometric access controls, 24/7 monitoring, and security staff
  • Redundant power, cooling, and network connectivity

Network Security

  • Web Application Firewall (WAF) to protect against common attacks
  • DDoS protection via AWS Shield
  • Network segmentation to isolate sensitive systems
  • Regular vulnerability scanning and penetration testing

Server Security

  • Hardened operating system configurations
  • Automatic security patching
  • No direct server access—all changes go through code review and deployment pipelines
  • Immutable infrastructure—servers are replaced, not modified

Application Security

Secure Development

  • Security-focused code reviews for all changes
  • Static code analysis to detect vulnerabilities
  • Dependency scanning to identify vulnerable libraries
  • Regular third-party security assessments

Authentication

  • Secure password hashing using bcrypt with appropriate work factors
  • Multi-factor authentication (MFA) available for all accounts
  • Session management with secure, HTTP-only cookies
  • Automatic session expiration after inactivity
  • Account lockout after failed login attempts

Authorization

  • Role-based access control (RBAC)
  • Permission checks on every request
  • Audit logging of all access and changes

Input Validation

  • All user input is validated and sanitized
  • Protection against SQL injection, XSS, and CSRF attacks
  • Content Security Policy (CSP) headers to prevent script injection

Data Protection

Access Controls

  • Your data is logically isolated from other customers
  • Team members access data only through the application with your permissions
  • VendorLog staff cannot access your data without explicit permission for support purposes

Backups

  • Automated daily backups with point-in-time recovery
  • Backups are encrypted and stored in geographically separate locations
  • Regular backup restoration testing
  • 30-day backup retention

Data Retention

  • You control your data—export or delete it anytime
  • When you delete data, it's permanently removed within 30 days
  • Backups containing deleted data are purged according to retention schedule

Operational Security

Employee Security

  • Background checks for all employees
  • Security awareness training
  • Strict access controls based on job function
  • Secure workstations with full-disk encryption
  • Immediate access revocation upon departure

Incident Response

  • Documented incident response procedures
  • 24/7 monitoring and alerting
  • Post-incident reviews and remediation
  • Customer notification within 72 hours of confirmed breaches affecting their data

Business Continuity

  • Disaster recovery plan tested annually
  • Multi-region data replication
  • Recovery time objective (RTO): 4 hours
  • Recovery point objective (RPO): 1 hour

Compliance

Current

  • GDPR Ready — We support data subject rights including access, portability, and deletion
  • CCPA Compliant — California Consumer Privacy Act requirements met
  • AWS SOC 2 — Our infrastructure provider maintains SOC 2 Type II certification

Planned

  • SOC 2 Type II — VendorLog certification (on roadmap)
  • HIPAA — For healthcare customers (on roadmap based on demand)

Vendor Security

We carefully evaluate the security practices of our vendors and service providers:

Vendor Purpose Certifications
AWS Cloud infrastructure SOC 2, ISO 27001, FedRAMP
Stripe Payment processing PCI DSS Level 1
SendGrid Email delivery SOC 2, ISO 27001

All vendors with access to customer data are bound by data processing agreements.

Security Features for Your Team

Available Now

  • Multi-factor authentication — TOTP-based MFA for all users
  • Role-based permissions — Admin, Contributor, and Viewer roles
  • Audit logs — Track who did what and when
  • Session management — View and revoke active sessions
  • Data export — Download your data anytime

Coming Soon

  • SSO integration — Okta, Azure AD, Google Workspace
  • IP allowlisting — Restrict access to approved networks
  • Custom session timeouts — Configure inactivity expiration
  • Advanced audit logs — Detailed activity reporting

Responsible Disclosure

We value the security research community. If you discover a security vulnerability in VendorLog:

  1. Email us at security@vendorlog.io with details of the vulnerability
  2. Include steps to reproduce the issue
  3. Give us reasonable time to respond and fix the issue before public disclosure
  4. Do not access or modify other users' data

We commit to:

  • Acknowledging your report within 48 hours
  • Providing regular updates on our progress
  • Notifying you when the vulnerability is fixed
  • Recognizing your contribution (if desired)

We do not currently offer a paid bug bounty program, but we deeply appreciate responsible disclosure.

Questions?

If you have questions about our security practices or need additional information for your security review:

Email: security@vendorlog.io

For enterprise customers requiring detailed security documentation, we can provide:

  • Security questionnaire responses
  • Architecture diagrams
  • Penetration test summaries
  • Compliance documentation

Security Updates

We continuously improve our security posture. This page was last updated in January 2026.

Major security updates and incidents (if any) will be communicated via:

  • Email to account administrators
  • Status page at status.vendorlog.io
  • In-app notifications

Security is a journey, not a destination. We're committed to continuously improving our security practices to protect your data. If you have suggestions or concerns, we want to hear from you.