TrustTrust Centre

One link your security team can sign off on.

Our compliance posture, the controls behind it, every vendor that touches customer data, and the documents your security, privacy, and procurement teams will ask for. Current and honest. Where work is in progress, we say so.

Request documentsEmail security team
All systems operational·Primary region: EU (Belgium, GCP)·Frameworks: GDPR, EU AI Act, SOC 2, ISO 27001
01Compliance posture/ four frameworks

Where we stand on the frameworks customers ask about.

Our posture is current and honest. Where work is in progress, we say so.

GDPR & UK GDPR
Compliant
Lawful basis documented. DPA available on request.
EU AI Act
Ready
Human-in-the-loop by default. No automatic adverse decisions on candidates.
SOC 2 Type II
In progress
Controls mapped. Audit underway. Letter of engagement available under NDA.
ISO 27001
In progress
Statement of Applicability scoped. Targeting certification in 2026.
02Security controls/ six categories

The controls behind the certifications.

Plain-language summaries of what we actually do. Full evidence available under NDA.

01

Identity & access

  • MFA required for every member of staff
  • SSO / SAML 2.0 for enterprise logins (Okta, Entra ID, Google Workspace)
  • Role-based access with least-privilege defaults
  • Quarterly access reviews of production systems
  • Every admin action logged and tamper-evident
02

Data protection

  • AES-256 encryption at rest, TLS 1.3 in transit with HSTS
  • Per-tenant key isolation; no shared keys across customers
  • Configurable retention windows and one-click deletion
  • Right-to-be-forgotten honoured within 30 days, with proof
  • Customer data is never used to train shared models
03

Infrastructure

  • Hosted on Google Cloud (EU Belgium and US Iowa regions)
  • Region-pinned for the lifetime of your workspace
  • Edge delivery and ISR via Vercel for the public marketing site
  • Daily encrypted backups with quarterly tested restores
  • Network isolation, private VPC, no public database endpoints
04

Application security

  • Code review required on every change before merge
  • Automated SAST and dependency scanning in CI
  • Annual third-party penetration test by a CREST-certified provider
  • Responsible disclosure programme with public credit
  • Secrets stored only in a managed vault — never in code or config
05

Monitoring & response

  • 24/7 alerting on production and security events
  • Tamper-evident security event logs retained for 12 months
  • Documented incident response playbooks, rehearsed quarterly
  • Customer notification within 72 hours of a confirmed incident
  • Public post-incident reviews after every P0 / P1
06

People & policies

  • Background checks on all staff before access is granted
  • Annual security and privacy training, completion tracked
  • Confidentiality and IP obligations in every contract
  • Managed laptops with full-disk encryption and MDM
  • Clear acceptable-use, data-handling, and AI-use policies
03Sub-processors/ every vendor

Every vendor that touches customer data.

We notify customers in advance of any change. Subscribe at hello@vitae.ai to receive updates.

Vendor
Purpose
Region
Google Cloud Platform
Hosting, storage, compute
EU (Belgium), US (Iowa)
Vercel
Edge delivery for vitae.ai marketing site
Global edge
Anthropic
Claude models for agent reasoning
US (zero data retention contract)
OpenAI
GPT models, optional per-workspace
US (zero data retention contract)
Resend
Transactional email
US / EU
Sentry
Error monitoring
EU (Frankfurt)
04Testing & assurance/ how we prove it

How we prove the controls actually work.

Annual penetration test

Independent CREST-certified provider runs a black-and-grey-box test every year. Executive summary available under NDA.

Continuous controls monitoring

Evidence is collected automatically across infrastructure, identity, and code. Findings trigger same-week remediation with audit trail.

AI bias & evaluation

Models are evaluated across demographic cohorts before release and on every model update. Methodology shared on request.

05Documents/ public + on request

Everything your security team will ask for.

Your details are used solely to send the requested documents and respond to questions. We do not add you to marketing lists. We reply within one business day.

Public

Available right now

Under NDA

Available on request

  • Security whitepaper
  • Architecture and data-flow overview
  • SOC 2 Type II report (post first cycle)
  • ISO 27001 Statement of Applicability
  • Penetration test executive summary
  • Business continuity & disaster recovery plan
  • Information security policy
  • Vendor risk assessment
  • Cyber insurance certificate
Request via email
06Responsible disclosure/ found something?

Found something? Tell us.

What we ask of researchers

  • · Reasonable time to fix before public disclosure
  • · No unauthorised access, modification, or deletion of data
  • · No automated scans that disrupt the service
  • · In-scope assets only: vitae.ai, app.vitae.ai, and our public APIs

What you can expect from us

  • · Acknowledgement within 2 business days
  • · Triage and severity assessment shared with you
  • · Regular updates until the report is closed
  • · Public credit on request once the fix ships
hello@vitae.ai
Questionnaires

We answer security questionnaires in days, not weeks.

We accept CAIQ, SIG Lite/Core, or your own custom questionnaire. Standard turnaround is one business week. Need a security call to walk through the answers? Email hello@vitae.ai and we’ll get a 30-minute slot on the calendar.

Move recruiting to a platform your security team already trusts.

GDPR by default. SOC 2 in progress. Encryption, audit logs, and data residency on every plan.

Start for freeEmail securityRead the security page