| Trust Center

Vaival Technologies

Vaival Technologies is the partner of choice for entrepreneurs, SMEs and major corporations. Since 2010, we’ve helped many businesses enhance their potential via custom software development, web3 & blockchain, dev-ops, design innovation and IT consulting services.


View all controls

+ 4 more

+ 5 more

+ 27 more


View all subprocessors

Amazon Web Services

Google Cloud Platform

Microsoft Azure


Google Workspace


SOC 2 Type II

Policy Packet

SOC 1 Type II

Penetration Test Fall 2023

Penetration Test Sprint 2022


Infrastructure security



Encryption key access restricted

The company restricts privileged access to encryption keys to authorized users with a business need.

Production application access restricted

System access restricted to authorized access only

Access control procedures established

The company's access control policy documents the requirements for the following access control functions:

  • adding new users;
  • modifying users; and/or
  • removing an existing user's access.

Remote access encrypted enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Log management utilized

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

Network firewalls reviewed

The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

Network firewalls utilized

The company uses firewalls and configures them to prevent unauthorized access.

Organizational security



Asset disposal procedures utilized

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Employee background checks performed

The company performs background checks on new employees.

Code of Conduct acknowledged by contractors

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

Code of Conduct acknowledged by employees and enforced

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Confidentiality Agreement acknowledged by employees

The company requires employees to sign a confidentiality agreement during onboarding.

Visitor procedures enforced

The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.

Security awareness training implemented

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Product security



Data encryption utilized

The company's datastores housing sensitive customer data are encrypted at rest.

Control self-assessments conducted

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Vulnerability and system monitoring procedures established

The company's formal policies outline the requirements for the following functions related to IT / Engineering:

  • vulnerability management;
  • system monitoring.

Internal security procedures



Continuity and Disaster Recovery plans established

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Continuity and disaster recovery plans tested

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Cybersecurity insurance maintained

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Configuration management system established

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Change management procedures enforced

The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

Production deployment access restricted

The company restricts access to migrate changes to production to authorized personnel.

Development lifecycle established

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Board oversight briefings conducted

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

Board charter documented

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

Board meetings conducted

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

Backup processes established

The company's data backup policy documents requirements for backup and recovery of customer data.

System changes externally communicated

The company notifies customers of critical system changes that may affect their processing.

Management roles and responsibilities defined

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

Organization structure documented

The company maintains an organizational chart that describes the organizational structure and reporting lines.

Roles and responsibilities specified

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Security policies established and reviewed

The company's information security policies and procedures are documented and reviewed at least annually.

Support system available

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

System changes communicated

The company communicates system changes to authorized internal users.

Access requests required

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

Incident response plan tested

The company tests their incident response plan at least annually.

Incident response policies established

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Incident management procedures followed

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

Physical access processes established

The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

Data center access reviewed

The company reviews access to the data centers at least annually.

Company commitments externally communicated

The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

External support resources available

The company provides guidelines and technical support resources relating to system operations to customers.

Service description communicated

The company provides a description of its products and services to internal and external users.

Risk assessment objectives specified

The company specifies its objectives to enable the identification and assessment of risk related to the objectives.

Risks assessments performed

The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

Risk management program established

The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

Data and privacy



Data retention procedures established

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Customer data deleted upon leaving

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Data classification policy established

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.


Amazon Web Services

Google Cloud Platform

Microsoft Azure


Google Workspace