Vendr Security Overview
Updated: July 24, 2024
As a SaaS procurement and management platform, we recognize that an important step of the procurement lifecycle is vetting the security postures of suppliers, both on initial intake and in ongoing supplier relationships. This includes the Vendr platform itself. The aim of this overview is to assist you in your own security approval workflow of Vendr.
Security & Compliance at Vendr
Vendr maintains a dedicated CyberSecurity team to assist in the daily operations of maintaining security, including information governance, internal audit, compliance, vulnerability management, incident triage and response, responding to data privacy requests, and employee security awareness & training. The Cybersecurity team reports directly to the CTO, and quarterly Risk Committee meetings are held with additional C-suite stakeholders to evaluate the ongoing efficacy of the security program.
Application and Infrastructure Security
The Vendr production application’s multi-tenant environment is hosted entirely within AWS. Vendr utilizes the AWS US-EAST-1 (Virginia, USA) region for production, with data backups also stored in US-EAST-2 (Ohio, USA).
AWS data centers are highly secure, are SOC 1 and SOC 2 compliant, in addition to being ISO 27001, SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley compliant. Their SOC reports are accessible at https://aws.amazon.com/compliance/soc-faqs/.
Our premium add-ons support SSO and audit logging for compliance.
We employ AWS CloudFront, AWS Web Application Firewall (WAF) and AWS GuardDuty for attack detection and mitigation, and our cloud SIEM monitors our infrastructure for security events, compliance, and overall cloud health. Alerts are reviewed and triaged by our Security Team.
The status of the application can be checked at https://status.vendr.com/. Users can subscribe to updates to be informed about unplanned outages. Scheduled maintenance is communicated via our Customer Team.
Software Development Lifecycle
As part of maintaining a secure Software Development Lifecycle (SDLC), we ensure that every code change is tested, peer reviewed, and approved before being deployed to the production environment. Production and development/testing environments are kept entirely separated, and privileged access is regularly reviewed and strictly managed, with branch protection enabled on in-scope repos.
The application undergoes regular static application security testing (SAST) and dependency scanning, as well as weekly external vulnerability scans, with any new findings added to our engineering backlog for evaluation, tracking, and remediation per our SLAs, as outlined in our Vulnerability Management Policy.
Our vulnerability remediation SLAs based on severity are as follows:
Our engineers receive secure development training on an annual basis, including review of OWASP Top 10.
We undergo an annual external penetration test with all findings ticketed and tracked for remediation. The executive summary of this report is shareable with our customers.
At this time, Vendr does not maintain a paid Bug Bounty program, however, we encourage security researchers to report all vulnerabilities to us as outlined in our Responsible Disclosure Policy, available at https://vendr.com/disclosure.
Data Security and Privacy
As outlined in our Privacy Policy, Vendr processes very limited non-sensitive PII of users involved in the customer’s procurement services, and no more than necessary to render the agreed upon services. These categories include name, email, job title, and phone number. Our full Privacy Policy can be reviewed at https://www.vendr.com/legal/privacy-policy.
In addition, Vendr stores and processes information pertaining to the purchase, renewal, negotiation, and management of software for our customers, including contracts, quotes, sales/purchase information, agreements and other documents which may contain limited sensitive financial information, including the terms and costs associated with SaaS purchases.
We maintain a multi-tenant logical separation architecture to segregate customer data. All data in transit is encrypted using TLS v1.2 or greater, while all stored data is encrypted with AES-256.
Encryption keys are managed by AWS, and backups of critical system information are made daily.
Both the Vendr SaaS Platform and any stored data is hosted within the AWS US-east region. We vet our subprocessors and ensure compliance to state, local, and international privacy regulations and have a Data Privacy Addendum. Our current list of data subprocessors is available at https://www.vendr.com/legal/data-subprocessors. In adherence to our DPA requirements, Customers are notified of any changes to this list.
Organizational and Corporate security
Endpoints
All endpoints are protected against malware and viruses with an EDR solution. Devices are monitored for up-to-date security configurations and managed through our Mobile Device Management (MDM) system, and critical patches and updates are applied as soon as they are available. Endpoints receive full disk encryption and local admin privileges are restricted and logged.
System Access
We have implemented role-based access control (RBAC) on all internal systems. Access is granted according to least privilege, and access to the production environment or customer data requires prior administrator approval, SSO and MFA. All access is logged, and quarterly reviews are conducted on all systems and software. Employee terminations or role changes prompt access revocation within a reasonable timeline as defined by company procedural commitments.
Third-Party Management
Our third-party management program includes review of new vendors, including examination of their SOC2 reports, ISO 27001 certification, cyber liability coverage, penetration test results, privacy policy, and BCP/DR plans, and current vendors are reviewed on a recurring basis at renewal or annually, whichever comes first. Exceptions noted in the review must be approved by management in order for the relationship with the vendor to continue.
Subprocessors are subject to additional scrutiny to ensure compliance to applicable privacy regulations and adequate protection of customer data.
Risk Management
Vendr tracks its risks through a dedicated Risk Register within our Trust Management Platform. Each risk is assigned to an appropriate stakeholder, and evaluated and rated annually with relevant controls and mitigation plans attached and monitored for completion. Outstanding or excessive risk is reviewed quarterly in Risk Committee meetings.
Physical Security
Vendr’s office locations are protected by CCTV systems, front desk security guards, keycard access, and required visitor check-in.
People Operations
All employees undergo a background check, and are evaluated for the required education and experience for the position to which they are applying. Employees agree to our full suite of CyberSecurity policies, which include our Acceptable Use Policy, Code of Conduct, Employee Handbook, and BYOD policy, and undergo required CyberSecurity Awareness Training, as part of onboarding and annually thereafter. Employees are bound by confidentiality obligations as part of their employment. Contractors, consultants, and other contingent workers undergo policy acceptance and training, and agreements contain applicable confidentiality clauses. We maintain dedicated Help Desk and security Slack channels for employees to report suspicious or unusual activity, and our Security team makes regular announcements concerning relevant security events reported by CISA, other advisory boards, or relevant news sources. Employee performance reviews are conducted on an annual basis with Performance Improvement Plans issued as necessary.
Information Security Policies
Our Information Security policies and procedures cover each aspect of our security program. The Risk Committee (including the CEO, CTO, and other relevant stakeholders) reviews, updates, and approves these policies on an annual basis. We maintain detailed SOPs and playbooks for our Incident Response, Disaster Recovery, and Business Continuity programs.
Cyber Insurance
We maintain an insurance policy that includes Technology Errors & Omissions coverage, which includes Cyber Liability protection for Vendr and our customers.
Business Continuity and Disaster Recovery
We maintain current Business Continuity and Disaster Recovery policies and plans, and conduct annual tabletop testing. Additional playbooks are developed as new risks arise in the risk management process.
Compliance
Vendr has achieved SOC2 Type 2 compliance and undergoes yearly recertification audits. Our most recent audit report and other available security documentation is accessible here.
Established infrastructure and organizational controls are monitored and tracked for continuous compliance through our Trust Management Platform, with alerts and regular periodic reviews conducted by members of our security team.
Our privacy program has been constructed to comply with applicable privacy regulations such as the GDPR and CCPA, and we maintain a data privacy submission form and hotline that is available at https://preferences.vendr.com/privacy or (833) 953-2675.
The Privacy Policy other relevant policies, including the Terms of Use, Master Services Agreement and Data Processing Addendum, are available at vendr.com/legal.
Contacting our Security Team
Additional questions may be directed to [email protected].