1. Overview
Data security is foundational to how Vendor+ operates — our clients trust us with datasets that are often sensitive, proprietary, or regulated. This page summarizes the technical, operational, and organizational measures we maintain to protect client content across every engagement, from a small pilot to a production-scale annotation program.
2. Infrastructure & hosting
Our platform is hosted on established cloud infrastructure providers with independently audited data centers. Environments are logically separated by client and engagement, with network access restricted through firewalls, private networking, and least- privilege security groups. Government and highly regulated engagements can be provisioned on dedicated or air-gapped infrastructure where required — see our Industries page for details.
3. Encryption
Client content is encrypted in transit using TLS 1.2 or higher, and at rest using industry-standard encryption (AES-256 or equivalent). Encryption keys are managed through a dedicated key-management service with restricted administrative access, and are rotated on a scheduled basis.
4. Access controls
Access to client content and production systems is governed by the principle of least privilege:
- Reviewer access is scoped to the specific tasks and queues assigned to their engagement.
- Internal access to production systems requires multi-factor authentication and is logged.
- Access is reviewed on a recurring basis and revoked immediately upon role change or offboarding.
- Administrative actions on client data are subject to audit logging.
5. Workforce vetting & training
Reviewers and domain experts undergo identity verification and background screening appropriate to the sensitivity of the engagement, along with mandatory confidentiality agreements before accessing any client content. Domain-expert annotation — clinical, legal, or financial — is restricted to individuals with the relevant professional credentials, as described on our Services page. All reviewers complete recurring security and data-handling training.
6. Compliance & certifications
Vendor+ maintains the following compliance posture:
- SOC 2 Type II — independently audited annually across security, availability, and confidentiality.
- ISO 27001 — certified information security management system.
- HIPAA-aligned workflows — available for clinical and PHI-adjacent engagements.
- GDPR-ready data handling — including support for Standard Contractual Clauses.
Audit reports and certificates are available to clients and prospective clients under NDA — contact nokillazone@gmail.com to request them.
7. Incident response
We maintain a documented incident response plan covering detection, containment, investigation, and notification. In the event of a confirmed security incident affecting client data, we will notify affected clients without undue delay and in accordance with the timelines specified in the applicable service agreement or applicable law, whichever is stricter.
8. Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities. If you believe you've identified a security issue affecting our website, dashboard, or services, please report it to nokillazone@gmail.com with sufficient detail to reproduce the issue. We ask that you avoid accessing or modifying data that isn't yours, and give us a reasonable period to investigate and remediate before public disclosure.
9. Sub-processors
We rely on a limited number of vetted sub-processors for infrastructure, storage, and communications, each bound by contractual security and confidentiality obligations no less protective than our own commitments to clients. A current sub-processor list is available on request.
10. Business continuity
Client content is backed up on a scheduled basis and stored redundantly across availability zones. Our business continuity and disaster recovery procedures are tested periodically to ensure service can be restored within the recovery objectives defined for production engagements.
11. Contact us
For security questionnaires, audit requests, or to report a vulnerability, contact nokillazone@gmail.com.