01
Data at rest
AES-256 encryption on every database, every backup, every storage tier. Customer-managed keys (CMK) on Org via AWS KMS, Azure Key Vault, or GCP Cloud KMS. Backups retained 30 days hot, 365 days cold.
● TLP:GREEN · DISTRIBUTABLEvault security · ops console v8.4
OPS / 01 · security · trust postureRead-only
Security · attestations · controls
The trust posture, line by line.
The full security and compliance posture of the Vault platform — attestations, controls, subprocessors, and the IR runbook. What procurement and the CISO read before sign-off. Reports under MNDA.
OPS / 02 · attestations · currentAll clear
SOC 2 Type II
Annual · A-LIGN
Report under MNDA · current to 2026-04-01
ISO 27001:2022
Schellman
Certified Q4 2024 · re-cert 2027
ISO 27017
Schellman
Cloud-specific extension to 27001
ISO 27018
Schellman
PII protection in cloud
FedRAMP Moderate
Authorized · 2025
ATO sponsoring agency confidential
PCI DSS Level 1
Trustwave
Re-attested annually · current to 2026-09
HIPAA · BAA
Available
On every Org-tier contract
GDPR + DORA
EU + UK
DPA + EU data residency
OPS / 03 · controls · how the platform is defendedRead-only
Six controls. The actual ones, not a marketing summary.
02
Data in transit
TLS 1.3 only. Internal service-to-service traffic uses mTLS. Customer console pinned to our cert via HSTS preload.
03
Identity + access
RBAC with 14 default roles + custom roles. SAML SSO + SCIM provisioning on Org (Okta, Azure AD, Google Workspace). Mandatory 2FA on all admin actions.
04
Audit log
Every API call, every console action, every record change is logged with actor, timestamp, IP, source, and outcome. 90-day hot retention, 7-year cold. Streamed to your SIEM via webhook on Org.
05
Pen-test + SCA
External pen-test by an approved firm (Bishop Fox / NCC) twice per year. Continuous SCA on every dependency, automated patching for critical CVEs within 24 hours. Disclosure inbox: security@vault.io.
06
Incident response
Documented IR runbook, tabletop exercises quarterly. Customer notification within 72 hours per GDPR Art. 33; in practice, we contact affected customers same-day. Status page at status.vault.io.
OPS / 04 · subprocessors · currentRead-only
Subprocessor changes are notified by email 30 days before they go into effect. Customers can object and we will work on a path. Last updated 2026-04-22.
Provider
Region
Purpose
Amazon Web Services
us-east-1, us-west-2, eu-west-1, ap-southeast-2, ca-central-1
Compute, database, storage
Cloudflare
Global edge
DDoS protection · WAF · DNS
Twilio
Global
SMS + voice for IR notifications
Datadog
us1
Application monitoring (logs scrubbed of customer data)
Stripe
Global
Payment processing (PCI scope)
Okta · Auth0
us-east-1
Optional SSO infrastructure
OPS / 05 · incident response · runbookAction req
What happens if something does go wrong.
T+0
Detect
Anomaly raised by Vault internal monitoring or external disclosure. On-call engineer paged within 30 sec via PagerDuty.
T+15m
Triage
Severity classification by an L2+ engineer. P0/P1 escalates to incident commander within 15 min. Incident channel opened in dedicated Slack.
T+30m
Contain
Pre-approved containment playbook executed. Customer-affecting actions get IC sign-off; everything is logged to the immutable audit store.
T+1h
Customer comms
Status page updated within one hour. Affected customer admins notified by email; severe events also get a phone call to the named CSM.
T+72h
RCA
Root-cause analysis published to the customer trust portal within 72 hours. GDPR-required notification within 72 hours per Art. 33; we usually beat that.
OPS / 06 · system status · liveAll clear
All systems operational
status.vault.io · last incident 24d ago
99.99%
Console
99.97%
Detection engine
99.99%
Evidence store
99.98%
API
99.96%
Webhook delivery
99.95%
SIEM streaming
