Trust
Security and Compliance - VendorGate Data Protection
VendorGate is built to protect your credentials, isolate your data, and provide a complete audit trail of every validation run.
Encryption
Credentials are encrypted and never exposed
All connection credentials are encrypted at rest using AES-256-GCM. The encryption key is stored separately from the database. Credentials are decrypted in memory only at the moment of use.
- AES-256-GCM encryption at rest
- Decrypted only immediately before use
- Never returned in API responses after creation
- Never logged or written to disk unencrypted
AES-256-GCM
TLS 1.3
Never exposed
Full audit log
Transport
Secure connections by default
API traffic
All traffic between your browser and the VendorGate API uses TLS 1.3 minimum.
SFTP and FTPS
File transfers use SSH key or password authentication over encrypted transport. FTPS is required for production FTP use.
Webhooks
Outbound webhook payloads are signed with HMAC-SHA256 so your endpoints can verify origin and integrity.
Isolation
Tenant-scoped data
Every object in VendorGate belongs to an account and a team. Users invited to a team see only that team's pipelines, contracts, credentials, and runs.
- Account-level billing and tenant boundaries
- Team-scoped access to all resources
- Role-based access control
- Run artifacts scoped to the owning account
Audit
Every event is recorded
The platform records every event in the lifecycle of every run. You can answer any question about any file that passed through it, at any point in time.
- Immutable run artifacts
- Findings, measurements, anomalies, and decisions
- Delivery and notification events
- Configurable retention policies
Compliance
GDPR-ready architecture
VendorGate is designed with privacy by default. We collect only what is needed to run the service, scope data to tenants, and provide clear data handling practices.
Data minimization
Tenant isolation
Clear policies
EU data residency roadmap
Have a security question?
We are happy to walk you through our architecture, provide a security whitepaper, or discuss a Data Processing Agreement.