Built by people
who run their own audits.
VigiliaRes runs on VigiliaRes. The same control library, the same audit room, the same evidence integrity that ships to customers. This page is a live read of where we stand — not a marketing artifact.
SOC 2 Type II
REPORT · 2026·02·14
NEXT · 2026·11·30
ISO 27001:2022
CERT · 2026·01·08
VALID · 2029·01
ISO 27701 (PIMS)
CERT · 2026·01·08
VALID · 2029·01
GDPR · UK GDPR
DPA · CONTINUOUS
ART. 30 RECORDS
HIPAA
BAA AVAILABLE
HITRUST i1 PENDING
PCI DSS 4.0 SAQ-D
SERVICE PROVIDER
2026·03·22
FedRAMP Moderate
3PAO · A-LIGN
EXP. 2026·11
ISO 42001 (AI)
STAGE 2 · 2026·07
FOR AI ASSIST FEATURES
Need a copy of any report under NDA? Request access · Subprocessor list · Status page
Four commitments.
Your data, in your region.
Three regional partitions: US (us-east-1, us-west-2), EU (eu-west-1, eu-central-1), and APAC (ap-southeast-2). Tenant data does not cross regional boundaries. We can name the AWS account ID hosting yours.
FIPS 140-3 from disk to browser.
AES-256-GCM at rest, TLS 1.3 in transit. Customer-managed keys via AWS KMS BYOK on Sovereign tier. All cryptographic modules are FIPS 140-3 validated; module numbers in the trust portal.
Zero standing access to customer data.
Engineers do not have read access to tenant data. Break-glass workflows are time-boxed (4h max), require two-person approval, and are recorded as evidence in your tenant's audit log.
If something breaks, you'll know first.
Public status page with subscriber webhooks. Security-impacting incidents are notified in writing within 24 hours per our DPA. Postmortems published for all SEV-1s within 5 business days.
Tenant isolation, in layers.
Found something? Tell us.
We run a coordinated disclosure program with safe-harbor language and a published SLA. Researchers can submit via security@vigiliares.com (PGP key fingerprint in the trust portal) or our HackerOne program.
- Acknowledgement≤ 24h
- Triage≤ 72h
- Critical fix≤ 7d
- Public CVE90d coord. window