Vault Agentics
Trust Center

Security

Last updated: May 11, 2026

Security is a first-class part of every engagement. Our program is aligned to the NIST Cybersecurity Framework 2.0, ISO/IEC 27001, and SOC 2, and is operated by a small senior team with deep operator experience.

Governance

An information security policy is approved by the Managing Member and reviewed at least annually. Roles and responsibilities are documented; the security function reports independently of delivery.

People

  • Background checks for personnel, where lawful.
  • Mandatory security and privacy training at hire and annually, with role-based training for engineering and AI work.
  • Confidentiality and acceptable-use obligations are part of every engagement.

Identity & access

  • SSO with phishing-resistant MFA for production and administrative systems.
  • Least-privilege access; access reviews at least quarterly; immediate revocation on role change or separation.
  • Hardware-bound credentials for highly privileged operations where supported.

Endpoints

  • Centrally managed devices with full-disk encryption, EDR, automatic patching, and screen-lock policy.
  • Web filtering and DNS protection on managed devices.

Application & infrastructure

  • Cloud workloads on AWS with infrastructure-as-code, network segmentation, and private networking by default.
  • Encryption in transit (TLS 1.2+) and at rest (AES-256 or provider-managed equivalent).
  • Centralized secrets management; no static long-lived credentials in source code.
  • Branch protection, code review, dependency scanning, and SAST in CI/CD.

AI workloads

AI usage is governed by our AI Operating Standard. We default to no-training contractual commitments with model providers, classify data before model interaction, log AI activity, and require human review for actions that change customer systems. See AI Transparency.

Logging & monitoring

  • Centralized logs for identity, infrastructure, application, and AI events.
  • 24×7 alerting on high-severity signals; documented on-call.

Vulnerability management

  • Continuous vulnerability scanning of code, containers, and cloud configuration.
  • Independent penetration testing at least annually for client-facing systems.
  • SLA-driven remediation prioritized by exploitability and exposure.

Business continuity

Backups are encrypted, isolated, and tested. RTO and RPO targets are defined in our continuity plan and reviewed annually. A continuity exercise is performed at least once per year.

Sub-processors

See Sub-processors for the current list and our 30-day notice commitment for material additions.

Reporting

Researchers can report issues via our coordinated disclosure program. Customers and prospects can request artifacts via the NDA-gated artifacts page.