Security
that's boring.

VenduSys handles money, identity and inventory for the teams that run on it. We treat security and compliance as features — built in early, audited continuously, and explained without marketing prose.

SOC 2: Type II · audited annually
ISO 27001: In progress · 2026
GDPR: Native · DPA on file
Hosting: EU only (Paris)
Encryption: TLS 1.3 · AES-256 · BYOK
Report a vuln: security@vendusys.com · PGP

Request the security pack →

Certifications

Audited
where it counts.

We audit what is meaningful for our customers and the regulators they answer to. We do not stack badges for the sake of it.

A / SOC 2

SOC 2 Type II

Annual audit covering security, availability, confidentiality and privacy. Report under NDA.

Annual · NDA · since 2026

B / ISO

ISO 27001

Information-security management system. Certification in progress, expected late 2026.

In progress · expected Q4 2026

C / GDPR

GDPR / DPA

Native GDPR posture. DPA on file, DPIA support, sub-processors disclosed and reviewed.

DPA · DPIA · Sub-processors

D / PCI

PCI-DSS scope

We do not store card numbers. Payments routed via PCI-Level-1 partners (Stripe, Adyen).

SAQ-A · Out of scope

How we run

The shape
of our controls.

Specifics, not vibes. Each row below is something an auditor will ask you about; we wrote down our answers up front.

Identity & access: SSO + MFA required for all staff · least-privilege roles · just-in-time access to production · quarterly review
Engineering: Mandatory code review · pinned dependencies · SAST + SCA in CI · dependency review on every PR
Secrets: Centralized vault · short-lived credentials · key rotation 90 days · per-tenant isolation
Encryption — transit: TLS 1.3 only · HSTS · forward secrecy · public-key pinning for partner endpoints
Encryption — rest: AES-256 for application data · per-tenant DEKs · BYOK on Enterprise · HSM-backed KMS
Backups: Point-in-time recovery on Postgres · 35-day window · cross-region replicas · annual restore tests
Logging: Structured audit log of every privileged action · immutable 90-day retention · exportable to your SIEM
Vulnerability program: External pentest annually · continuous DAST · bug-bounty (private) · 30-day SLA on criticals
Incident response: 24/7 on-call · documented runbooks · customer notification within 72 hours · public post-mortems
Vendor management: Sub-processors disclosed at /legal/dpa · risk-tier reviewed annually · DPAs on file
Data residency: EU by default (Paris primary, multi-AZ DR within region) · region pinning on Scale & Enterprise · audit-friendly data export
Data deletion: Per-tenant deletion on request · cascading audit-log retention · documented retention schedule

Disclosure

Found something?
Tell us.

We run a private bug-bounty program and respond to coordinated disclosures within 72 hours. Encrypt with our PGP key; we will reply on the same channel.

Email: security@vendusys.com
PGP key: Available at vendusys.com/.well-known/security.txt
Response SLA: Critical: 24h · High: 72h · Medium: 5 business days
Safe harbor: Good-faith research is welcome · no legal action against responsible disclosure
Out of scope: Denial-of-service, social engineering against staff, physical attacks
Bounty: Private program · €500–€10,000 by severity · invitation only

Need the
security pack?

SOC 2 report, DPA, sub-processor list, pentest summary.

Request access →

Securitythat's boring.

Auditedwhere it counts.