Trust Center
Enterprise security, compliance, and data-handling reference for VaultPDF. Share this section with your security team, procurement department, or any customer requesting a security review.
Last updated: 2026-05-31 · Version: 1.0
For the most recent SOC 2 status, pen-test summary, or DPA, contact [email protected].
VaultPDF uses a customer-owned infrastructure model. Every component that processes or stores your documents deploys into your own Azure subscription via the supplied Bicep templates. VaultPDF does not operate a shared multi-tenant processing environment.
Share This Section
This section is designed to be shared with your security team, procurement department, Microsoft AppSource reviewers, or any customer requesting a security review.
Documents in This Section
Architecture & Data Flow
Full data-flow diagrams, trust boundaries, and key management overview for security architects, procurement teams, and auditors.
Security Controls
Authentication, encryption, network isolation, key management, and audit controls for CISO and security teams.
Data Processing Guide
What data VaultPDF processes, where it flows, retention periods, and GDPR posture for DPO and legal teams.
Sub-Processor List
Complete list of sub-processors and third parties, satisfying GDPR Art. 28(3)(d) and enterprise procurement requirements.
Incident Response
Incident response procedures and customer notification timelines for CISO and operations teams.
Security & Verification
Authentication layers, access control enforcement, document integrity verification, and deep-link safety. For security architects and implementation teams.
Key Security Properties
| Property | Detail |
|---|---|
| Customer-owned infrastructure | All processing components deploy into your Azure subscription. VaultPDF staff have no standing access. |
| no-egress document data | Only a license key and tenant ID are sent to the VaultPDF Licensing API. Document content never leaves your environment. |
| Zero standing vendor access | VaultPDF staff have no access to your Azure Key Vault, Azure Blob Storage, or Isolated Azure Functions. |
| Immutable audit trail | Append-only audit JSONL with hash chain, plus HMAC-signed verification reports. |
| Managed Identity authentication | Isolated Azure Functions use Managed Service Identity for all internal Azure service access. No stored secrets or passwords are used for internal service calls. |
What We Can Provide Now
- Architecture diagrams with trust boundaries
- Security controls overview
- Data processing guide and GDPR posture
- Sub-processor list
- Incident response procedure
What Requires External Engagement
These artifacts require independent third-party auditors and cannot be self-attested:
| Artifact | Status | Notes |
|---|---|---|
| SOC 2 Type I report | Planned | Engage auditor; target within 6 months of GA |
| SOC 2 Type II report | Planned | Requires a 6-12 month audit period post-Type I |
| ISO 27001 certificate | Planned | Can leverage SOC 2 control mapping |
| Penetration test summary | Planned | Commission external pen-test on The Dispatcher, portal, and Licensing API surface |
| SBOM (CycloneDX/SPDX) | In progress | Can be generated from pnpm lockfile; integration into CI is in progress |
| Data Processing Agreement (DPA) | In progress | Legal review required; template available on request |
Enterprise Procurement and Security Inquiries
Contact us for DPA requests, security questionnaires, and enterprise procurement support.
Security & Verification
How Vault Platform enforces security at every layer — from Entra ID authentication and Managed Identity through item-level access control, document integrity verification, and deep-link safety in VaultLifecycle.
Architecture & Data Flow
Full data-flow diagrams, trust boundaries, and key management overview for VaultPDF. The canonical architecture reference for security architects, procurement teams, and AppSource reviewers.