Security

Security is a first-class concern at Vendra. Every change to the platform passes through code review, automated security checks, and a staged deploy with canary monitoring before reaching production. Customer PII is isolated per merchant tenant and encrypted end-to-end.

SOC 2 Type II — annual audit covering security, availability, processing integrity, confidentiality, and privacy.

ISO 27001 — information security management system certification, recertified annually.

PCI DSS Level 1 — payment data processed exclusively by certified providers; Vendra never handles raw card numbers.

Audit reports are available under NDA via security@vendra.com.

All data in transit uses TLS 1.3 with modern cipher suites. Data at rest is encrypted with AES-256 in AWS managed services. Database backups, log archives, and offsite snapshots are encrypted with separate keys managed in AWS KMS.

Card numbers, CVVs, and bank account details never touch Vendra servers. Stripe, our PCI DSS Level 1 partner, tokenizes payment instruments at the customer’s browser; we store only the resulting opaque token and a last-four for display.

All Vendra employees authenticate with hardware-backed two-factor authentication. Production access is granted on a least-privilege, time-bounded basis, with every action audit-logged. Customer support agents see only the data necessary for the request.

We instrument the platform with anomaly detection on authentication, payment, and inventory operations. Suspicious activity routes to a 24/7 on-call rotation. We commit to a 24-hour breach notification window for any confirmed incident affecting customer data.

If you discover a vulnerability, we want to hear from you. Email security@vendra.com. We acknowledge reports within one business day and run a coordinated disclosure program for serious findings.