Version: latest

Security & Compliance

VaultPAM is designed for regulated environments. Use this section when you need to understand how the product supports security controls, where data lives, and how to answer a compliance questionnaire.

SOC 2 posture

VaultPAM supports common control families through:

MFA and step-up MFA for sensitive actions
Session recording for user accountability
Audit logging for administrative and access events
Approval gates on high-risk Safes
Network isolation through the connector model

Data residency

The current reference architecture uses GCP region eu-west1.
Tenant data is split between tenant-scoped PostgreSQL and MinIO object storage.
Session metadata, recordings, and audit logs remain associated with the tenant and are retained according to the configured policy.

Audit access

Audit records can be reviewed in the console.
CSV export is available for downstream review.
Retention is policy-driven and should match your internal controls.

Encryption and credential handling

Traffic is encrypted in transit with TLS 1.3 or later.
Data at rest is protected by AES-256 through the storage layer and GCP-managed keys.
Credentials are injected at session time through OpenBao and are not exposed in plaintext to end users.

Compliance scope

VaultPAM is intended to support SOC 2 and ISO 27001 alignment. GDPR processor responsibilities, eIDAS, and NIS2 considerations should be validated against your deployment settings and contractual obligations.

Report a vulnerability

If you have found a security issue in VaultPAM, see our Vulnerability Disclosure Policy.

Need evidence?

Contact your support or customer success channel for compliance questionnaires, architecture notes, and evidence packages.

SOC 2 posture​

Data residency​

Audit access​

Encryption and credential handling​

Compliance scope​

Report a vulnerability​

Need evidence?​