VantaCRM

Help

Security basics

What to set up, what we do automatically, and how to escalate if something looks wrong. For the deeper technical picture see the security overview.

Two-factor authentication

2FA is supported for every account and we strongly recommend turning it on. To enroll:

  1. Open Settings → Account →Set up two-factor.
  2. Scan the QR code with any TOTP authenticator: Google Authenticator, 1Password, Authy, Bitwarden, Microsoft Authenticator, or a YubiKey with TOTP support. Anything that implements RFC 6238 works.
  3. Confirm the 6-digit code. We’ll generate 8 single-use backup codes — print or save them somewhere offline. If you lose your phone, these are the only path back into your account without contacting support.

After enrollment, every login asks for the code in addition to the password. Rate limiting kicks in after several failed code attempts; the account locks for a cooldown window to defeat brute force.

Password resets

Forgot password from the login page sends a one-time reset link to your email. The link expires after 1 hour and is single-use; if you request a second one, the first invalidates.

If you no longer have access to your email and 2FA, contact your account admin (the staff role inside your tenant). If you are the only admin and you’ve lost access entirely, reach out — we have a manual recovery process that requires identity verification and a delay.

Who can see what

  • Admin — full access to CRM data, settings, integrations, billing, and team management.
  • Salesperson — full CRM data access (no tenant-wide settings); can manage their own profile, 2FA, and sessions. Cannot invite or remove users, cannot see billing.

More granular per-record visibility (own-records-only, team-shared, field-level permissions) is on the roadmap for larger sales orgs; it doesn’t exist today. If you need it before we ship it, tell us — demand is what prioritizes it.

Sessions and sign-out

Sessions are signed JWTs with a 30-day expiry. Changing your password invalidates all existing sessions immediately (you’ll be signed out on every other device). The same happens if an admin resets your password from the staff console.

Reporting a vulnerability

If you find a security issue, please report it — we appreciate it.

  • Email security@vantacrm.com (preferred), or use the contact form with subject Security.
  • Include a clear reproduction. PoC code, screenshots, and the affected URL accelerate triage.
  • Please don’t exfiltrate data, run automated scanners against production, or test on tenants you don’t own. We’ll spin up a test tenant for you on request.
  • We acknowledge inside 1 business day, triage inside 3, and aim to fix or have a credible plan within 14 days. We name reporters in the changelog with permission.

More

For encryption at rest, audit logs, tenant isolation, and the broader posture, see the public security overview. For data handling and retention, see privacy.