Security and privacy at

Security is at the heart of what we do – helping our customers automate their data-flows is done with the highest security standards.


Governance’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.


Our policies are based on the following foundational principles:


Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.


Security controls should be implemented and layered according to the principle of defense-in-depth.


Security controls should be applied consistently across all areas of the enterprise.


The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.



Data protection

Data in transit

Vanta uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.

Secret management

Encryption keys are managed via ansible Vault so no employee can gain access to sensitive data.

Vulnerability scanning

Malicious dependency scanning to prevent the introduction of malware into our software supply chain

Dynamic analysis (DAST) of running applications

Network vulnerability scanning on a period basis

External attack surface management (EASM) continuously running to discover new external-facing assets


Security education

Vanta provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta’s own platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.

Vanta’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.