Vanilla security

At Vanilla, security, trust, and data protection are vital to our business.  Vanilla uses best practices and industry standards designed to keep data safe, which in turn helps our customers meet their own compliance requirements.

If you have additional questions, please contact us at


Policies and Standards

  • Vanilla undergoes an annual SOC 2 Type II audit. A copy of our most recent SOC 2 report may be requested by emailing
  • End client data of Vanilla customers in the Vanilla platform (“Client Data”) (including backups) is hosted in AWS data centers.
  • Maintains an Incident Response Plan (“IRP”) and internal procedures that include clearly defined roles and responsibilities and a reporting mechanism for suspected vulnerabilities and events affecting the security of Client Data. Tests and updates IRP as necessary, at least on an annual basis.
  • Maintains a Code of Conduct covering anti-bribery and corruption, whistleblowing and other ethics policies and communicates these policies to all employees.

Personnel and Training

  • Conducts pre-employment background screening on all employees.
  • Requires all employees and data sub-processors to be bound by a confidentiality agreement.
  • Requires employees to undergo security awareness (including phishing), data handling, and ethics training at least annually.


  • Implements network firewall protection.
  • Implements web application firewall protection.
  • Maintains routers and ACLs Provides network redundancy.
  • Implements intrusion detection and prevention systems (IDS/IPS).
  • Client Data and access segregated using a multi-tenant model.
  • Uses separate physical and logical development, test and production environments and databases.

Network and System Security

  • Encrypts Client Data in transmission with TLS encryption. Implements encryption for Client Data at rest using AES-256. Has implemented industry standard disk-level encryption on all machines that store or process Client Data. Cryptographic controls are also implemented for backups.
  • Encryption keys used to store Client Data are stored in a designated vault or key management service following industry best practices. Encryption keys are rotated at least once per year.
  • Uses a corporate VPN (virtual private network) connection to access systems with Client Data.
  • Logically segregates Client Data from all other Vanilla and third-party data.
  • Implements a network intrusion detection system and captures logs for network security events.
  • Access to systems with Client Data is restricted to firm-approved devices and methods.
  • Prohibits copying or downloading of Client Data from Vanilla’s systems.
  • Limits the ability to access Vanilla’s systems to individuals with authorization and a business need.
  • Implements appropriate anti-virus/anti-malware detection software across systems that process and endpoint devices that access Client Data.

Application Security

  • Maintains policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and the testing and approval of changes into production.
  • Implements key management procedures that include the secure generation, distribution, activation, storage, recovery, and replacement/update of cryptographic keys. Keys are rotated on a regular basis and lost, corrupted, or expired keys are revoked or disabled immediately.
  • Generates administrator and event logs for systems and applications that store, allow access to, or process Client Data.
  • Secure software engineering and coding practices are established, documented, and integrated in an official Secure Software Development Life Cycle (SSDLC). All new code is peer-reviewed and undergoes full quality assurance and regression testing prior to being introduced into production. Logically or physically separates environments for development, testing, and production.
  • Maintains system hardening procedures and baseline configurations for systems that store or process Client Data. Hardening procedures, at a minimum, remove all unnecessary services and applications, any default users and passwords.

Testing and Assessments

  • Has an independent third-party conduct a penetration test at least annually. Remediates vulnerabilities or findings in a timeframe that is commensurate with the identified risks.
  • Maintains a risk management program and conducts an annual risk assessment to help identify foreseeable internal and external risks to its business, including its information resources, and determine if existing controls, policies, and procedures are adequate.

Information Security Program

  • Has implemented and maintains a comprehensive, written Information Security Program (“ISP”) designed to protect against unauthorized access to Client Data.
  • ISP establishes proper policies, procedures, and standards designed to protect the security, confidentiality, integrity and availability of all information and data.
  • Assigns responsibility for information security management to senior personnel.
  • Maintains data classification based on data type and sensitivity, and maintains data handling requirements based on classification.

Third Party Vendor Management

  • Maintains a Vendor Management Policy and review process for all third party vendors that process Client Data.
  • Conducts a risk assessment of the data security practices of all third party vendors that process Client Data.

Access Controls

  • Access rights to Client Data are based on the principle of least privilege. Personnel access to environments and Client Data are restricted and segregated based on job responsibilities.
  • Reviews and revokes systems access rights on at least a quarterly basis.
  • Maintains separation of duties between individuals who request access, authorize access, enable access, and verify access.
  • Maintains a password management policy designed to ensure strong passwords consistent with industry standard practices. Meets or exceeds NIST guidelines for password security by requiring passwords with a minimum number of characters, complexity requirements, restrictions on password reuse, and a restricted number of password resets in a given timeframe.
  • Requires the use of multi-factor authentication to access systems containing Client Data.
  • Maintains an accurate and up-to-date list of all personnel who have access to systems and has a process to promptly disable access within one business day of transfer or termination.
  • Maintains procedures to collect any devices or equipment containing Client Data from any terminating employee at the time of termination.
  • Has documented change control processes.

Vulnerability Management

  • Maintains a vulnerability management process to identify, report, and remediate vulnerabilities by performing vulnerability scans, implementing vendor patches or fixes, and developing a remediation plan for vulnerabilities.
  • Penetration testing and vulnerability scanning is conducted on Vanilla systems at least annually. Any remediation items identified as a result of the assessment are resolved as soon as possible on a timetable commensurate with the risk. Upon request, will provide summary details of the tests performed, findings, and whether the identified issues have been resolved.
  • Implements an intrusion detection monitoring process at the network and/or host level to detect unwanted or hostile network traffic.

Asset Management

  • Employs hardening procedures for all storage devices containing Client Data.
  • Maintains an inventory of hardware assets.
  • Maintains capability of wiping corporate devices remotely if they are compromised.

Disaster Recovery/BCP

  • Maintains a disaster recovery plan and a business continuity plan and tests and updates them annually.
  • Backs-up production databases according to a defined schedule and stores encrypted back-ups in a manner that is logically and physically segregated from the production environment.

Ready to get started?

Deliver a whole new client conversation experience

Talk to our sales team today.