TRUST · SECURITY

Security and trust,
by a security company.

We hold ourselves to the standard we ask of our customers. Here is exactly how we protect your data and our platform, in plain language.

FILE № 01 · COMPLIANCE

Where we stand today.

We are an early-stage company and we are honest about it. Active items are in place now; the rest are on a clear path as we grow.

GDPR compliant
Active
UK/EU GDPR controller · DPA available
NIS2-aligned
Active
Product and practices map to NIS2 incident duties
EU data residency
Active
Core data plane runs in the EU
Cyber Essentials
In progress
In progress via the Eastern Cyber Resilience Centre
FILE № 02 · CONTROLS

The controls in place.

Data protection
TLS 1.2+ encryption in transit
Encryption at rest across the platform
AES-256-GCM for connected integration credentials
Integration secrets are never returned to the browser
Sensitive headers (e.g. Authorization) stripped before storage
Infrastructure & residency
EU data plane (Supabase EU · Railway EU-West · Upstash & Resend in Ireland)
Cloudflare WAF, CDN and DDoS protection
Strict per-tenant data isolation
Limited US enrichment / AI sub-processors under UK IDTA · EU SCCs
Application security
Strict Content-Security-Policy, no third-party scripts
HSTS with preload, HTTPS enforced
Clickjacking and MIME-sniffing protections
Statically prerendered site, no runtime code pulled from CDNs
Continuous error monitoring
Access & authentication
Managed authentication provider
Optional two-factor authentication (2FA)
Least-privilege access to production
Audit logging of incidents and response actions
Architecture & response
Agentless, nothing deployed on your systems
Outbound-only triggers, no inbound connections
Destructive containment gated by deterministic policy, not an LLM
Deterministic, explainable risk scoring
Privacy & data handling
We never sell personal data
Security telemetry kept max 12 months, then deleted or anonymised
Transparent sub-processor list
Anonymised collective learning, opt-out anytime
DPA available on request
FILE № 03 · SUB-PROCESSORS

Who we rely on.

The vendors that help us run Vantuz. The full list, purposes and transfer safeguards live in our Privacy Policy.

Sub-processor
Purpose
Location
Supabase
Authentication & database
EU
Railway
Application hosting
EU · Amsterdam
Vercel
Site hosting
Global edge
Cloudflare
DNS · CDN · WAF
Global edge
Upstash
Job queue
Ireland
Resend
Transactional email
Ireland
Anthropic
AI incident narrative
US · safeguards
VirusTotal · AbuseIPDB · Shodan
IP reputation enrichment
US · safeguards
FILE № 04 · DOCUMENTS

Read the detail.

FILE № 05 · DISCLOSURE

Found something?

We welcome responsible disclosure. If you believe you have found a security issue, please email us and we will respond quickly. Please give us reasonable time to fix it before any public disclosure.

security@vantuz.co
See also /.well-known/security.txt
TRUST · QUESTIONS

Security question,
or need our DPA?

Contact us Read the privacy policy
EU core data plane · NIS2 incident-ready · No agent on your network