Skip to main content
Vendor Lantern CloudBack to Home

Security & Compliance

Enterprise-grade security for your vendor data

Vendor Lantern Cloud is built with security at its core. Your vendor assessments, evidence files, and review records are protected by industry-standard encryption, strict access controls, and comprehensive audit logging.

Security Pillars

How we protect your data

Six foundational security controls that ensure your vendor management data stays confidential, available, and tamper-proof.

Data encryption

All vendor data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed through a dedicated key management service with automatic rotation.

Access control

Role-based access control (RBAC) ensures each team member sees only what they need. Enterprise plans support SSO via SAML 2.0 and enforce multi-factor authentication for all administrative accounts.

Data residency

Choose where your data is stored. Vendor Lantern Cloud supports configurable data residency regions with no cross-border transfers without explicit consent. Your vendor records stay where you need them.

Audit logging

Every action — login, view, edit, approve, export — is logged with a tamper-proof audit trail. Logs are retained for 24 months and can be exported for compliance reviews and incident investigations.

Incident response

A documented incident response plan with defined SLAs, escalation paths, and notification timelines. Security incidents are communicated to affected customers within 72 hours per GDPR requirements.

Compliance certifications

SOC 2 Type II audited annually. GDPR and CCPA compliant with data processing agreements available on request. Regular third-party penetration testing and vulnerability assessments.

Infrastructure

Platform security

The systems that run Vendor Lantern Cloud are hardened, monitored, and regularly tested to maintain the highest security posture.

Cloud infrastructure

Hosted on isolated VPCs with network segmentation between tenants. All infrastructure is managed through infrastructure-as-code with no manual server access.

Automated backups

Daily encrypted backups with point-in-time recovery. Backups are stored in a separate region from primary data centers with a 90-day retention window.

Penetration testing

Annual third-party penetration tests with remediation SLAs for critical findings. Continuous vulnerability scanning runs weekly with automated patching for critical CVEs.

Secure development

All code changes go through peer review and automated security scanning. CI/CD pipelines include SAST, dependency vulnerability checks, and container image scanning before deployment.

Data Control

Your data, your control

We believe you should always be in control of your vendor data. Portability, transparency, and deletion rights are built in — not bolted on.

Your data, your ownership

You own your vendor data — not us. We act as a data processor on your behalf and will never use your data for our own purposes, sell it, or share it with third parties.

Full portability

Export all vendor records, review histories, and evidence files at any time in standard formats (CSV, JSON). No lock-in — your data is always portable.

Configurable retention

Set retention policies that match your compliance requirements. Automatically archive or purge records based on your organization's data retention schedule.

Deletion on request

Request permanent deletion of specific vendor records or your entire account. Deletion is completed within 30 days and confirmed in writing with a certificate of destruction.

Certifications

Compliance you can verify

SOC 2 Type II

Annually audited by an independent third party. Covers security, availability, and confidentiality trust service criteria.

GDPR

Fully compliant with data processing requirements. Data processing agreements available for all customers.

CCPA

Supports consumer data rights including access, deletion, and portability. Privacy notices updated annually.

FAQ

Security questions

Where is my data stored?

Vendor Lantern Cloud supports configurable data residency. By default, data is stored in US-based data centers. Enterprise customers can specify preferred regions (EU, US, APAC) during onboarding. All data centers are SOC 2 Type II certified with 99.9% uptime SLA.

How do you handle security incidents?

We follow a documented incident response plan with severity-based SLAs. Critical security incidents trigger immediate containment, and affected customers are notified within 72 hours per GDPR requirements. Post-incident reviews result in concrete remediation actions with tracked completion.

Can I get a copy of your SOC 2 report?

Yes. Our SOC 2 Type II report is available under NDA for current and prospective customers. Contact our security team through the demo request form or email security@vendorlantern.com to request a copy.

How is access to my data controlled?

Access is controlled through role-based permissions within your organization and strict least-privilege principles on our side. All production access requires MFA and is logged. Our engineering team accesses production systems only through audited, time-limited sessions with full logging.

What happens to my data if I cancel?

After your subscription ends, you have a 30-day grace period to export your data. After that period, all data is permanently deleted from our systems and backups within 60 days. We provide a written confirmation of deletion upon request.

Do you support data processing agreements?

Yes. We provide GDPR-compliant data processing agreements (DPAs) for all customers. Enterprise customers receive a pre-signed DPA during onboarding. Standard and Starter customers can request a DPA at any time through their account settings or by contacting our team.

Ready for a secure vendor management solution?

Get a detailed security walkthrough with our team. We'll cover our architecture, compliance posture, and answer any security-specific questions.