Built for teams that take security seriously.

Every Vanta CRM account supports TOTP-based two-factor authentication. Users can enroll any RFC 6238 authenticator — Google Authenticator, 1Password, Authy, or a hardware key with a TOTP app — from Settings.

Failed verification attempts are rate-limited per account. After repeated failures, the account is locked for a cooldown window. Recovery codes are generated at enrollment.

Every row in every table is keyed to a tenant. API routes and server actions verify the requester's session tenant against the resource's tenant on every read and write, and cross-tenant access is covered by regression tests that fail the build on a missing scope.

Mismatched tenant access is rejected with a 404, not a 403, to avoid leaking that the resource exists.

Background jobs inherit the tenant scope from the user or system context that enqueued them. The admin console is a separate app on a separate origin with its own auth, used only by staff for support.

Customer data is stored in Postgres on Supabase, with disk encryption and keys managed by the underlying cloud provider's KMS.

All connections to the application — browser, API, OAuth callbacks — are served over TLS 1.2 or higher.

Sensitive fields (OAuth refresh tokens, 2FA secrets) are additionally encrypted at the application layer with AES-256-GCM, using a separate key from the session secret, before being written to the database.

Sensitive admin-console actions — tenant rename, suspend / unsuspend, soft-delete, restore, trial extension, opt-out removal — are recorded with timestamp, staff actor email, IP address, and the before / after state of the change.

Audit-log coverage is being expanded toward authentication events, role changes, and tenant-side billing changes; that work is tracked publicly in the roadmap.

Your data is yours. CSV export is supported for leads, contacts, and pipeline data today; full-tenant export across every object is on the roadmap and ships before broad self-serve launch.

On account cancellation, your tenant enters a 30-day grace period during which we soft-delete the data and the account can be restored on request. After the grace window a cron job hard-deletes the records.

We do not sell or share your data. AI features (Claude-powered drafts) send prompts to Anthropic. We are working with Anthropic on the standard zero-retention configuration for our production traffic; until that confirmation is in place, prompts should be assumed to follow Anthropic's default API retention policy.

We welcome security researchers. Report vulnerabilities via the contact form at /contact and we will follow up directly.

Please act in good faith, do not exfiltrate data, and give us reasonable time to remediate before public disclosure.

Security reports are handled through the support and incident process published at /help/support-and-incidents.