VendorX is designed with multi-tenant data isolation, defense-in-depth security, and transparent compliance milestones. We earn trust through engineering, not marketing.
VendorX protects your data with 3-layer tenant isolation, OAuth 2.0/OIDC authentication, 5-tier role-based access control, and encryption at rest and in transit. Every deployment passes 200+ automated isolation tests. We are actively pursuing SOC 2 certification and maintain transparent compliance milestones.
How VendorX protects your data at every layer.
3-layer defense: application query filters, PostgreSQL Row-Level Security, and API authorization gates. 200+ automated isolation tests validate every deployment.
OAuth 2.0/OIDC via OpenIddict with 5-tier role-based access control. MFA-gated control plane with session rotation and fail-closed session validation.
TLS 1.3 enforced on all connections. AES-256 encryption at rest via Azure-managed database encryption. HTTPS required for all API communication.
5-tier RBAC (Customer, Fulfillment Coordinator, Sales Rep, Sales Manager, Admin) with permission-based action-level gates. Step-up re-authentication for sensitive operations.
Structured audit logging on all endpoints via Serilog. Tamper-evident integrity verification on privileged control-plane operations. Role-gated audit exports.
Every pricing decision (guardrail checks, approvals, overrides, realized-price calculations) is sealed into a SHA-256 hash chain. Each record links to the prior record, so any alteration to historical pricing data breaks the chain and is detected automatically on verification. On-demand and scheduled chain integrity jobs.
Per-tenant API rate limiting with FluentValidation on all endpoints. Defense-in-depth request pipeline with parameterized queries and structured error responses.
Automated dependency scanning via GitHub Dependabot. OSS license audit and Software Bill of Materials (SBOM) baseline completed. Emergency patch SLAs enforced.
GitHub Actions CI/CD pipeline with automated testing, lint checks, and security scanning on every pull request. 2,000+ test suite with 99.95%+ pass rate.
Honest milestones, not marketing badges. Here is where we stand today.
TOTP verification, backup codes, trusted device management, rate-limited challenges with automatic lockout.
Production RBAC with configurable tenant security policies (NIST AAL2 baseline). Step-up MFA for sensitive operations.
Append-only audit trail on all endpoints. Tier-redacted detail views, CSV/JSONL export, and audit-of-audit event logging.
Every pricing decision sealed into a SHA-256 hash chain. Each record links cryptographically to the prior record — any edit to historical data breaks the chain and is detected automatically. On-demand and scheduled chain verification jobs.
Sentry error tracking, OpenTelemetry distributed tracing, Prometheus metrics. Structured logging with Serilog.
Policy documentation in progress. Gap assessment and Sprinto readiness kickoff planned.
Dependent on SOC 2 Type I completion and 6-month observation period.
Integration partner selected (WorkOS). Implementation pending FEAT-122.
First engagement being scheduled. Focus: cross-tenant access, authentication bypass, API security.
Continuous security testing program. Activation dependent on platform maturity.
Documentation and evidence supporting our security posture.
Multi-layer defense architecture: OAuth 2.0/OIDC authentication via OpenIddict, 5-tier RBAC authorization, MFA-gated control plane, and defense-in-depth request pipeline with rate limiting and input validation.
3-layer tenant isolation: EF Core query filters, PostgreSQL Row-Level Security (SET LOCAL app.tenant_id), and API-level authorization. 200+ automated isolation tests run in CI/CD on every commit.
TLS 1.3 enforced on all transport. AES-256 encryption at rest via Azure Database encryption. All API communication requires HTTPS.
Documented incident response procedures with severity-based SLAs: Critical (RCE/auth bypass) < 24 hours, High (data exposure) < 72 hours, Medium < 2 weeks. Monitoring via Sentry and OpenTelemetry.
Every pricing decision — guardrail evaluations, approval actions, override applications, and realized-price calculations — is sealed into a SHA-256 hash chain. Each record cryptographically links to the prior record, so any edit to historical pricing data breaks the chain and is detected automatically. Verification runs on demand and as a scheduled integrity job. Hash-chained, not cryptographically immutable: tampering is detectable, not prevented.
Vendor management policy covering infrastructure providers (Azure, Vercel, Stripe, Render). Security posture inherited from provider SOC 2 certifications. Vendor evidence collection tracked as part of SOC 2 readiness.
VendorX uses the following sub-processors to deliver platform services: Microsoft Azure (West US 2 — compute, storage), Render (US — managed PostgreSQL), Vercel (global edge — frontend hosting), Stripe (payments — PCI DSS Level 1), ShipStation (shipping label generation), Sentry (error tracking and monitoring). All sub-processors maintain SOC 2 Type II certification or equivalent. Changes to sub-processors are communicated to partners in advance.
Platform application services run on Microsoft Azure West US 2 region. Primary database (PostgreSQL) is hosted on Render US infrastructure. Frontend is served globally via Vercel edge network. All tenant data at rest resides within United States data centers. Cross-border data transfer mechanisms will be documented as part of GDPR readiness for partners with EU exposure.
VendorX commits to notifying affected partners within 72 hours of a confirmed security breach involving personal data or tenant data, satisfying the most restrictive US state notification statutes (California SB-1386/AB-1950, New York SHIELD Act, Colorado CPA). Notification includes: nature of the breach, categories of data affected, remediation steps taken, and recommended partner actions. Partners are responsible for downstream notification to their end customers.
Published vulnerability disclosure policy based on CISA VDP template. Includes scope definition, safe harbor commitment for good-faith security researchers, severity-based response SLAs, and coordinated disclosure timeline. Accessible at /trust-center/vulnerability-disclosure.
Real-time platform health monitoring via Azure Application Insights and Vercel analytics. Public status page planned for Month 1-2 to provide incident visibility, uptime history, and scheduled maintenance windows.
Documented data retention and disposal policy covering tenant data, audit logs, backups, and account closure procedures. Retention periods aligned with legal requirements and operational needs. Partners receive data export and deletion confirmation upon request.
Annual third-party penetration testing targeting cross-tenant access, authentication bypass, and API security. First engagement scheduled for Month 3.
Request AccessSOC 2 readiness program managed through Sprinto. Policy documentation in progress. Type I audit targeted for Month 5-6, Type II for Month 12-18.
Request AccessDocumented business continuity and disaster recovery plan. Infrastructure hosted on Azure with managed database services. Backup restoration testing in progress.
Request AccessStandard DPA available for partners processing personal data through VendorX. Covers data handling obligations, sub-processor governance, breach notification terms, and data subject rights support for GDPR and CCPA compliance readiness.
Request AccessVendorX maintains cyber liability insurance coverage providing financial protection against data breaches, security incidents, and related claims. Certificate of insurance available to partners upon request.
Request AccessRequest a security review or speak with our security team directly.