Security and Compliance - VendorGate Data Protection

VendorGate is built to protect your credentials, isolate your data, and provide a complete audit trail of every validation run.

Credentials are encrypted and never exposed

All connection credentials are encrypted at rest using AES-256-GCM. The encryption key is stored separately from the database. Credentials are decrypted in memory only at the moment of use.

  • AES-256-GCM encryption at rest
  • Decrypted only immediately before use
  • Never returned in API responses after creation
  • Never logged or written to disk unencrypted

AES-256-GCM

TLS 1.3

Never exposed

Full audit log

Secure connections by default

API traffic

All traffic between your browser and the VendorGate API uses TLS 1.3 minimum.

SFTP and FTPS

File transfers use SSH key or password authentication over encrypted transport. FTPS is required for production FTP use.

Webhooks

Outbound webhook payloads are signed with HMAC-SHA256 so your endpoints can verify origin and integrity.

Tenant-scoped data

Every object in VendorGate belongs to an account and a team. Users invited to a team see only that team's pipelines, contracts, credentials, and runs.

  • Account-level billing and tenant boundaries
  • Team-scoped access to all resources
  • Role-based access control
  • Run artifacts scoped to the owning account

Every event is recorded

The platform records every event in the lifecycle of every run. You can answer any question about any file that passed through it, at any point in time.

  • Immutable run artifacts
  • Findings, measurements, anomalies, and decisions
  • Delivery and notification events
  • Configurable retention policies

GDPR-ready architecture

VendorGate is designed with privacy by default. We collect only what is needed to run the service, scope data to tenants, and provide clear data handling practices.

Data minimization

Tenant isolation

Clear policies

EU data residency roadmap

Have a security question?

We are happy to walk you through our architecture, provide a security whitepaper, or discuss a Data Processing Agreement.