Certifications and frameworks
SOC 2 Type IIIndependently audited annually. Report available under NDA via our trust portal.
UK GDPR / DPA 2018UK Information Commissioner's Office (ICO) is our supervisory authority. UK IDTA and EU SCCs on file for transfers.
Cyber Essentials PlusUK government-backed scheme — certification in progress, targeted Q3 2026.
PCI DSSPayments handled by Stripe (PCI Level 1). Vetch never stores raw card data.
ISO 27001Roadmap target for 2026; controls already mapped in our ISMS.
Encryption
- In transit: TLS 1.2+ with modern cipher suites; HSTS preloaded.
- At rest: AES-256 across object storage, databases, backups, and replicas.
- Key management: AWS KMS, customer-managed keys (CMK) on Group plans.
Access controls
- SSO via SAML / OIDC; SCIM provisioning on Group plans.
- Mandatory MFA for all staff and admin clinic accounts.
- Role-based access down to the field level — volunteers in shelters can chart without seeing donor data; front desk can take payment without seeing clinical notes.
- Quarterly access reviews; immediate de-provisioning on offboarding.
Monitoring and incident response
- Centralised logging with anomaly detection and 24/7 on-call rotation.
- Defined incident severity levels and runbooks. Customer notification within 72 hours of a confirmed breach affecting their data (also reported to the ICO within the same window, where required).
- Quarterly tabletop exercises; annual incident response audit.
Application security
- Continuous dependency scanning, secret scanning, and SAST in CI; every change reviewed before merge.
- Quarterly third-party penetration tests. Findings tracked in our public-summary changelog under NDA.
- Bug bounty programme — see “Reporting a vulnerability” below.
AI safety
- Customer data is not used to train shared models. Inference is run via vetted vendors on zero-retention enterprise tiers.
- Every Vetch-generated draft is logged and attributed; signing remains a human action by a licensed professional.
- Confidence thresholds and policy gates pause Vetch before high-stakes actions (charging cards, sending external messages, signing controlled-substance orders).
Backups, recovery, and continuity
- Encrypted backups across multiple regions with point-in-time recovery.
- RPO 5 minutes, RTO 4 hours for production-impacting incidents.
- Quarterly disaster recovery drills.
Sub-processors
See /legal/dpa for the current sub-processor list and notification process.
Reporting a vulnerability
Report security issues to security@vetch.vet. We acknowledge within one business day and don’t pursue legal action against good-faith researchers who follow our coordinated-disclosure guidelines (do not access customer data, don’t run DoS, give us reasonable time to fix).
Contact
Security questions or attestations: security@vetch.vet. Trust portal access on request.