Trust

Security & Trust

Last updated 29 April 2026

We take the security of your data seriously. This page summarises the controls we use to protect client information across the Vectruva platform.

1. Data Residency

Client Portal data, account information and uploaded files are stored in cloud infrastructure with primary data residency in Australia. We use providers that operate under data-processing agreements consistent with the Australian Privacy Principles.

2. Encryption

In transit — all traffic between your browser and our services is encrypted using TLS 1.2 or higher. We enforce HTTPS on every endpoint and use security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy).
At rest — data stored in our databases and object storage is encrypted at rest using AES-256 or equivalent, managed by our cloud infrastructure providers.
File access — uploaded files are stored in private buckets. Access is granted only via short-lived signed URLs generated per request — there are no permanently public file URLs.

3. Access Control

The Portal uses invitation-only access — no self-service registration.
Role-based access control (RBAC) limits what each user can view and modify based on their engagement role.
Row-level security (RLS) is enforced at the database layer so that client data is isolated per organisation.
Admin access to client data is restricted to authorised Vectruva personnel only.
All Portal sessions use token-based authentication with short expiry and server-side revocation on logout.

4. Audit Logging

Significant actions within the Portal — including document generation, data uploads, access grants, and stage gate approvals — are recorded in an immutable audit log. Logs are retained for a minimum of twelve months and are available to you on request.

5. Sub-Processor Security

We engage a small number of trusted technology sub-processors to deliver the Services. Each sub-processor is selected based on their security posture, data-handling commitments, and compliance certifications. We review sub-processors at least annually and maintain contractual data-processing agreements with each. A list of current sub-processors is available on request — email support@vectruva.com.

6. AI Processing

Some features use large language models (LLMs) to generate analysis and documents. Client data submitted to AI processing is handled under strict data-processing agreements. We do not permit our AI providers to use client data to train their general models. All AI outputs undergo human review as part of our delivery process.

7. Vulnerability Management

We apply security patches to our infrastructure and dependencies on a rolling basis.
API endpoints are protected by CORS allowlists, rate limiting, input validation, and SSRF protections where applicable.
We accept responsible disclosure of vulnerabilities — contact support@vectruva.com with details and we will respond within 5 business days.

8. Incident Response

We maintain an internal data breach response plan covering detection, containment, assessment, notification and remediation. In the event of a breach that is likely to cause serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches (NDB) scheme. If you believe your account or data may have been compromised, contact us immediately at support@vectruva.com.

9. Business Continuity

Our infrastructure providers maintain redundant systems with automated failover. Client data is backed up regularly. We conduct periodic reviews of our continuity and recovery procedures.

No system is perfectly secure. If you have questions about our security controls or wish to discuss specific requirements for your organisation, we are happy to talk.

10. Contact

Security questions and responsible disclosure reports should be sent to support@vectruva.com.