Security & Trust

All core services run on AWS in the EU. No customer data is stored outside the EEA on AWS infrastructure.

• Application & API: AWS Lambda, API Gateway: eu-north-1 (Stockholm)
• Database: AWS DynamoDB: eu-north-1 (Stockholm)
• Scanning engine: AWS ECS Fargate: eu-north-1 (Stockholm)
• Authentication: AWS Cognito: eu-north-1 (Stockholm)
• AI research pipeline: AWS Bedrock: eu-west-1 (Ireland)
• Container registry: AWS ECR: eu-north-1 (Stockholm)
• UI hosting: AWS Amplify: eu-north-1 (Stockholm), served via CloudFront global CDN for static asset delivery

Third-party processors for billing, transactional email, and AI web search are US-based and operate under SCCs. Full sub-processor list.

In transit: All traffic between clients and the VendorTrace API uses TLS 1.2 or higher. HTTPS is enforced with HSTS (max-age 1 year, includeSubDomains). HTTP connections are upgraded automatically.

At rest: DynamoDB data is encrypted at rest using AWS-managed keys (AES-256) by default. Cognito user pools use AWS-managed encryption for stored credentials.

Passwords: User passwords are never stored by VendorTrace. AWS Cognito handles credential storage using its own hardened storage with SRP (Secure Remote Password) protocol.

When you connect a cloud integration, VendorTrace stores the credentials required to read your cloud configuration. These are the credentials stored per provider:

• AWS: IAM role ARN and a server-generated ExternalId. The role ARN is not a secret. The ExternalId is stored to prevent confused-deputy attacks.
• GCP: Service account key JSON, including the private key. Encrypted with AWS KMS (eu-north-1) before storage in DynamoDB. Decrypted in memory only during sync operations.
• GitHub: Personal Access Token. Encrypted with AWS KMS (eu-north-1) before storage in DynamoDB. Decrypted in memory only during sync operations.

Credentials are never logged, never transmitted outside the AWS eu-north-1 environment, and are not included in backups or exports. Disconnecting an integration deletes the stored credentials from DynamoDB immediately.

Cloud integration access is read-only. VendorTrace reads your configuration to populate questionnaire answers. It does not write to, modify, or delete anything in your cloud environment.

Authentication uses AWS Cognito JWTs. Session management is designed to limit credential exposure:

• Refresh tokens are stored in an httpOnly, SameSite=Strict, Secure cookie set by the VendorTrace server. They are not accessible to JavaScript.
• Access tokens are held in browser memory only. They are not written to localStorage or sessionStorage. They are discarded when the tab closes.
• Access token lifetime: 1 hour (Cognito default). Refresh tokens expire after 30 days of inactivity.

All pages are served with a strict Content Security Policy that prevents unauthorised script execution. Response headers include X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin.

Scan result retention depends on plan tier:

• Free: not retained
• Pro: 90 days
• Team: 1 year
• Enterprise: configurable

Activity audit logs (IP addresses, action type, timestamp) are retained for 365 days regardless of plan, then automatically deleted by DynamoDB TTL.

Account deletion: You can delete your account from the account settings page. On deletion, your Cognito identity and account settings are removed immediately. Scan results and audit logs are deleted at the end of their TTL period. Billing history is retained for legal and tax purposes per Swedish law.

Data export: Account data and scan history export is available on request. Contact info@vendortrace.io.

DynamoDB provides continuous automatic backups with point-in-time recovery (PITR) enabled. Recovery point objective (RPO) is 35 days. DynamoDB operates with multi-AZ replication within eu-north-1 by default, providing 99.999% availability SLA for stored data.

The scanning pipeline runs on ECS Fargate. Individual scan tasks are stateless. A failed scan task can be retried without data loss.

AWS IAM roles follow least-privilege principles. Each Lambda function and ECS task has a scoped role granting only the permissions it requires. No wildcard IAM policies are used for data-access roles.

Production AWS console access requires MFA. Access is restricted to the engineering team. No third-party contractors have standing access to production infrastructure.

Customer data is isolated by account. Scan results and vendor registers are partitioned by user ID in DynamoDB. Requests are authorised using Cognito JWTs validated at the API Gateway layer before reaching any data handler.

In the event of a personal data breach, LINA Solutions AB will notify affected customers and the Swedish Data Protection Authority (IMY) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

Customer notification will include: the nature of the breach, the categories and approximate number of individuals affected, likely consequences, and the measures taken or proposed to address the breach.

Incident response contact: info@vendortrace.io. For Enterprise customers, a dedicated incident notification channel is available.

If you discover a security vulnerability in VendorTrace, please report it responsibly before public disclosure. We commit to:

• Acknowledging your report within 2 business days
• Keeping you informed as we investigate and fix the issue
• Crediting responsible disclosures in our changelog (if you wish)
• Not taking legal action against good-faith security researchers

Report to: security@vendortrace.io with subject line “Security disclosure”. Please include a description of the vulnerability, reproduction steps, and potential impact. General privacy enquiries go to info@vendortrace.io.

VendorTrace performs passive, outside-in analysis only. Our scanner does not authenticate to, probe, or exploit third-party systems. If you observe automated traffic from our infrastructure that concerns you, contact us and we will investigate promptly.

VendorTrace inherits SOC 2 Type II and ISO 27001 compliance from AWS for the infrastructure layer (compute, storage, networking). AWS audit reports are available via AWS Artifact.

VendorTrace itself does not currently hold SOC 2 or ISO 27001 certification at the application layer. If your procurement process requires a specific certification, contact us to discuss your requirements.

A security questionnaire (CAIQ or custom format) can be completed on request for Enterprise customers.