Security & Compliance

This page provides Vatidator's public-facing security and compliance documentation. It is intended for IT security teams, procurement reviewers, and customers conducting due diligence on Vatidator as a B2B SaaS vendor.

If you need a Data Processing Agreement (DPA), a security questionnaire response, or a custom procurement packet, contact [email protected].

Documents

Information Security Policy

How Vatidator handles customer data, data classification, residency, encryption, access control, audit logging, incident response, compliance roadmap, and business continuity. Suitable for IT security review.

Sub-processor and External Registry Disclosure

Third parties that may receive or process data in connection with the Vatidator service. Distinguishes between service sub-processors (under our DPA), external validation registries (independent data sources we query on customer behalf), and future / planned providers.

Vulnerability Disclosure Policy

How to report a security vulnerability in Vatidator's service, what to expect from us in return, the scope of our safe harbor, and the testing rules we ask researchers to follow.

Current security posture

Vatidator operates as an early-stage B2B SaaS provider with security controls appropriate to its current scale and risk profile. Our security program is designed to mature progressively as customer requirements and platform scale increase.

Current state:

• GDPR-aware data handling with a Data Processing Agreement available on request
• EU-based hosting and audit storage for Vatidator-managed customer data
• Tenant-scoped access controls and authenticated API access
• Tamper-evident audit logging using cryptographic hashes
• Documented incident response and recovery procedures

Planned maturity roadmap:

• Migration of secrets to Azure Key Vault
• Formal security control register
• Annual external penetration testing
• SOC 2 Type 1 readiness assessment
• SOC 2 Type 2 audit
• ISO 27001 certification evaluation
• Immutable audit storage and/or eIDAS-qualified timestamping for enterprise plans

We do not currently hold SOC 2 or ISO 27001 certification. Customers requiring these certifications may request our current security controls summary, risk assessment, and maturity roadmap for procurement review.

Contact

• Security disclosures: [email protected]
• General inquiries: [email protected]
• Privacy questions: [email protected]

Legal entity: Vatidator OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia. Registry code 17526048.