Compliance
Ventryx is built to help your organization meet its compliance obligations. We maintain certifications and publish controls documentation to support your security reviews and audit processes.
Certifications
| Standard | Status | Scope |
|---|---|---|
| SOC 2 Type II | Certified | Security, Availability, Confidentiality |
| ISO 27001 | In progress | Information security management |
| GDPR | Compliant | EU data processing and residency |
| CCPA | Compliant | California consumer privacy |
| HIPAA | Available (Enterprise) | BAA required — contact sales |
The current SOC 2 report is available under NDA. Request access for your security review.
GDPR
Ventryx acts as a data processor for the data your organization submits to the platform. As a data controller, you retain ownership and responsibility for your data. Key GDPR controls include:
- Data Processing Agreement (DPA) available for all paying customers
- EU data residency available on Enterprise plans (eu-west-1 region)
- Right to erasure: delete all organization data via the API or dashboard
- Data portability: export all stored data in JSON format
- Sub-processor list maintained and updated at ventryx.io/legal/sub-processors
Data retention and deletion
| Data type | Retention | Deletion method |
|---|---|---|
| Event payloads | Per plan (30–unlimited days) | API or bulk delete |
| Request logs | Per plan (7–unlimited days) | Log drain or bulk delete |
| Audit logs | Per plan (90 days–7 years) | Contact support |
| Account data | Until account closed + 30 days | Account closure |
Penetration testing
Ventryx undergoes annual third-party penetration testing. Executive summaries of the most recent test results are available upon request under NDA for Enterprise customers.
You may conduct your own security testing against your organization's API resources without prior notice, provided you limit testing to your own organization and do not attempt to access other tenants' data.
Responsible disclosure
We operate a responsible disclosure program. If you discover a security vulnerability in the Ventryx platform, please report it to [email protected]. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.