VendorX is designed with multi-tenant data isolation, defense-in-depth security, and transparent compliance milestones. We earn trust through engineering, not marketing.
VendorX protects your data with four-layer tenant isolation including database-enforced PostgreSQL Row-Level Security (logically separated by customer account at every layer from the EF Core query filter down to the database policy), OAuth 2.0/OIDC authentication, five-tier tenant role-based access control, and encryption at rest and in transit. SOC 2 Type I attestation is on our roadmap (target Month 5-6 post-launch per Tier-3D §3.18 Security Policy). We earn trust through engineering, not marketing.
How VendorX protects your data at every layer.
Four-layer defense: Entity Framework query filter at the application layer, per-request tenant-scoped PostgreSQL session variable, database-command verification interceptor that fails closed if tenant context is not set, and PostgreSQL Row-Level Security policies on every tenant-scoped table. Tenant data is logically separated by customer account at the database itself, not just the application. Detail at /trust-center/tenant-isolation.
OAuth 2.0/OIDC via OpenIddict with five-tier tenant role-based access control. MFA-gated control plane with session rotation and fail-closed session validation.
TLS 1.3 enforced on all connections. AES-256 encryption at rest via Azure Database Transparent Data Encryption with Microsoft-managed keys today; customer-managed keys (BYOK) held by the platform operator in Azure Key Vault on our near-term roadmap (FEAT-163). HTTPS required for all API communication.
Five-tier tenant RBAC (Customer, Fulfillment Coordinator, Sales Rep, Sales Manager, Administrator) with permission-based action-level gates. A separate platform-administrator role exists VendorX-side for cross-tenant operations under audit and least-privilege discipline (see /trust-center/roles). Step-up re-authentication for sensitive operations.
Structured audit logging on all endpoints via Serilog. Tamper-evident integrity verification on privileged control-plane operations. Role-gated audit exports.
Every pricing decision (guardrail checks, approvals, overrides, realized-price calculations) is sealed into a SHA-256 hash chain. Each record links to the prior record, so any alteration to historical pricing data breaks the chain and is detected automatically on verification. On-demand and scheduled chain integrity jobs.
Per-tenant API rate limiting with FluentValidation on all endpoints. Defense-in-depth request pipeline with parameterized queries and structured error responses.
Automated dependency scanning via GitHub Dependabot. OSS license audit and Software Bill of Materials (SBOM) baseline completed. Emergency patch SLAs enforced.
GitHub Actions CI/CD pipeline with automated testing, lint checks, and security scanning on every pull request.
Honest milestones, not marketing badges. Here is where we stand today.
TOTP verification, backup codes, trusted device management, rate-limited challenges with automatic lockout.
Production RBAC with configurable tenant security policies (NIST AAL2 baseline). Step-up MFA for sensitive operations.
Append-only audit trail on all endpoints. Tier-redacted detail views, CSV/JSONL export, and audit-of-audit event logging.
Every pricing decision sealed into a SHA-256 hash chain. Each record links cryptographically to the prior record — any edit to historical data breaks the chain and is detected automatically. On-demand and scheduled chain verification jobs.
Sentry error tracking, OpenTelemetry distributed tracing, Prometheus metrics. Structured logging with Serilog.
Policy documentation in progress. Gap assessment and Sprinto readiness kickoff planned.
Dependent on SOC 2 Type I completion and 6-month observation period.
Integration partner selected (WorkOS). Implementation pending FEAT-122.
First engagement being scheduled. Focus: cross-tenant access, authentication bypass, API security.
Continuous security testing program. Activation dependent on platform maturity.
Documentation and evidence supporting our security posture.
Multi-layer defense architecture: OAuth 2.0/OIDC authentication via OpenIddict, five-tier tenant RBAC (Customer through Administrator) plus a separate platform-administrator role for VendorX-side operations, MFA-gated control plane, and defense-in-depth request pipeline with rate limiting and input validation. See /trust-center/roles for the role catalog and capability matrix.
Tenant data is logically separated by customer account and enforced at four independent layers: an Entity Framework query filter at the application layer, a per-request tenant-scoped PostgreSQL session variable, a database-command verification interceptor that fails closed if tenant context is not set, and PostgreSQL Row-Level Security policies (`CREATE POLICY` + `FORCE ROW LEVEL SECURITY`) on every tenant-scoped table — migration `20260426220000_AddPostgresRlsPolicies`. Technical detail and AICPA SOC 2 TSC CC6.1 mapping at /trust-center/tenant-isolation.
TLS 1.3 enforced on all transport. AES-256 encryption at rest enforced today by Azure Database Transparent Data Encryption with Microsoft-managed keys; customer-managed keys (BYOK) on our near-term roadmap (FEAT-163). All API communication requires HTTPS.
Documented incident response procedures with severity-based SLAs: Critical (RCE/auth bypass) < 24 hours, High (data exposure) < 72 hours, Medium < 2 weeks. Monitoring via Sentry and OpenTelemetry.
Every pricing decision — guardrail evaluations, approval actions, override applications, and realized-price calculations — is sealed into a SHA-256 hash chain. Each record cryptographically links to the prior record, so any edit to historical pricing data breaks the chain and is detected automatically. Verification runs on demand and as a scheduled integrity job. Hash-chained, not cryptographically immutable: tampering is detectable, not prevented.
How VendorX ships, measures, and recovers. The DORA Four Keys (deployment frequency, lead time, change failure rate, time to restore) plus the 2023 reliability addition, instrumented end-to-end via GitHub Actions, Sentry, OpenTelemetry, Prometheus, and an incident register that turns every recovery into a documented landmine. Honest about scale: we report posture, not a DORA performance band, because tier classification at solo-engineer Year-1 volume is statistically meaningless. Methodology, toolchain, and roadmap at /trust-center/engineering-velocity.
Vendor management policy covering infrastructure providers (Azure, Vercel, Stripe, Render). Security posture inherited from provider SOC 2 certifications. Vendor evidence collection tracked as part of SOC 2 readiness.
VendorX uses the following sub-processors to deliver platform services: Microsoft Azure (West US 2 — compute, storage), Render (US — managed PostgreSQL), Vercel (global edge — frontend hosting), Stripe (payments — PCI DSS Level 1), ShipStation (shipping label generation), Sentry (error tracking and monitoring), and HetrixTools (uptime monitoring; HTTP probes only, no PII; 4 monitoring locations). Critical/High-tier sub-processors (Azure, Render, Vercel, Stripe, ShipStation, Sentry) maintain SOC 2 Type II certification or equivalent. Medium-tier sub-processors (HetrixTools) are governed under Vendor Management Policy 3.22 with attestations appropriate to their data-access scope (HetrixTools processes no PII; GDPR self-attestation; vendor-risk-assessment at docs/Business/.../vendor-assessments/hetrixtools-2026-04-25.md). Changes to sub-processors are communicated to partners in advance.
Platform application services run on Microsoft Azure West US 2 region. Primary database (PostgreSQL) is hosted on Render US infrastructure. Frontend is served globally via Vercel edge network. All tenant data at rest resides within United States data centers. Cross-border data transfer mechanisms will be documented as part of GDPR readiness for partners with EU exposure.
VendorX commits to notifying affected partners within 72 hours of a confirmed security breach involving personal data or tenant data, satisfying the most restrictive US state notification statutes (California SB-1386/AB-1950, New York SHIELD Act, Colorado CPA). Notification includes: nature of the breach, categories of data affected, remediation steps taken, and recommended partner actions. Partners are responsible for downstream notification to their end customers.
Published vulnerability disclosure policy based on CISA VDP template. Includes scope definition, safe harbor commitment for good-faith security researchers, severity-based response SLAs, and coordinated disclosure timeline. Accessible at /trust-center/vulnerability-disclosure.
Real-time platform health monitoring via Azure Application Insights and Vercel analytics. Public status page planned for Month 1-2 to provide incident visibility, uptime history, and scheduled maintenance windows.
Documented data retention and disposal policy covering tenant data, audit logs, backups, and account closure procedures. Retention periods aligned with legal requirements and operational needs. Partners receive data export and deletion confirmation upon request.
Annual third-party penetration testing targeting cross-tenant access, authentication bypass, and API security. First engagement scheduled for Month 3.
Request AccessSOC 2 readiness program managed through Sprinto. Policy documentation in progress. Type I audit targeted for Month 5-6, Type II for Month 12-18.
Request AccessDocumented business continuity and disaster recovery plan. Infrastructure hosted on Azure with managed database services. Backup restoration testing in progress.
Request AccessStandard DPA available for partners processing personal data through VendorX. Covers data handling obligations, sub-processor governance, breach notification terms, and data subject rights support for GDPR and CCPA compliance readiness.
Request AccessVendorX maintains cyber liability insurance coverage providing financial protection against data breaches, security incidents, and related claims. Certificate of insurance available to partners upon request.
Request AccessRequest a security review or speak with our security team directly.