Certifications and frameworks
SOC 2 Type IIIndependently audited annually. Report available under NDA via our trust portal.
HIPAABAA available for US customers. Aligned to HIPAA Security and Privacy Rules.
GDPR / UK GDPREU and UK Standard Contractual Clauses, transfer impact assessment, EU data residency on Group plans.
PCI DSSPayments handled by Stripe (PCI Level 1). Vetch never stores raw card data.
ISO 27001Roadmap target for 2026; controls already mapped in our ISMS.
Encryption
- In transit: TLS 1.2+ with modern cipher suites; HSTS preloaded.
- At rest: AES-256 across object storage, databases, backups, and replicas.
- Key management: AWS KMS, customer-managed keys (CMK) on Group plans.
Access controls
- SSO via SAML / OIDC; SCIM provisioning on Group plans.
- Mandatory MFA for all staff and admin clinic accounts.
- Role-based access down to the field level — volunteers in shelters can chart without seeing donor data; front desk can take payment without seeing clinical notes.
- Quarterly access reviews; immediate de-provisioning on offboarding.
Monitoring and incident response
- Centralised logging with anomaly detection and 24/7 on-call rotation.
- Defined incident severity levels and runbooks. Customer notification within 72 hours of a confirmed breach affecting their data.
- Quarterly tabletop exercises; annual incident response audit.
Application security
- Continuous dependency scanning, secret scanning, and SAST in CI; every change reviewed before merge.
- Quarterly third-party penetration tests. Findings tracked in our public-summary changelog under NDA.
- Bug bounty programme — see “Reporting a vulnerability” below.
AI safety
- Customer data is not used to train shared models. Inference is run via vetted vendors on zero-retention enterprise tiers.
- Every Vetch-generated draft is logged and attributed; signing remains a human action by a licensed professional.
- Confidence thresholds and policy gates pause Vetch before high-stakes actions (charging cards, sending external messages, signing controlled-substance orders).
Backups, recovery, and continuity
- Encrypted backups across multiple regions with point-in-time recovery.
- RPO 5 minutes, RTO 4 hours for production-impacting incidents.
- Quarterly disaster recovery drills.
Sub-processors
See /legal/dpa for the current sub-processor list and notification process.
Reporting a vulnerability
Report security issues to security@vetch.vet. We acknowledge within one business day and don’t pursue legal action against good-faith researchers who follow our coordinated-disclosure guidelines (do not access customer data, don’t run DoS, give us reasonable time to fix).
Contact
Security questions or attestations: security@vetch.vet. Trust portal access on request.