We sell governance.
We hold ourselves to it.
This page is the public-facing summary of Vendra Holdings's security posture. Detailed audit reports, penetration-test findings, and our internal information-security policy are available under NDA on request.
Where we stand today.
We disclose attestations honestly, including those still in flight. The list is updated quarterly.
- EU AI Act · Article 6LiveSelf-attested in production. Notified-body review scheduled Q3 2026.
- MAS technology vendorLiveRegistered with the Monetary Authority of Singapore.
- External penetration testLiveSemi-annual cadence. Most recent engagement closed Q1 2026 with zero criticals and two low-severity findings (remediated).
- Responsible disclosureLiveCoordinated disclosure with safe harbour. Bounty range USD 2k–25k depending on severity.
- Data residencyLivePer-tenant region selection at deployment. Singapore (SGP1), EU (FRA1), and US East (NYC1) available today.
- EncryptionLiveTLS 1.3 in transit, AES-256-GCM at rest, KMS-managed keys with quarterly rotation.
- SOC 2 Type IIIn progressObservation window underway with a Big 4 firm. Attestation target Q4 2026.
- ISO 27001PlannedGap assessment closed Q1 2026. Certification target Q1 2027.
Penetration testing
External penetration tests are conducted on a semi-annual cadence by an independent specialist firm. Scope covers the ACIE control plane, the broker-adapter layer, the public API surface, and the operator console.
The most recent engagement closed in Q1 2026 with zero critical findings and two low-severity findings, both remediated within fourteen days. Engagement letters and redacted reports are available under NDA on request.
Responsible disclosure
We welcome reports from independent security researchers. Coordinated disclosure operates under a safe-harbour framework: research conducted in good faith against scoped assets will not result in legal action.
Report findings to security@vendraholdings.com. Responses are acknowledged within one business day. Bounty awards range from USD 2,000 (low severity) to USD 25,000 (critical, with proven exploit), paid within thirty days of remediation.
Out-of-scope: social engineering against staff, denial-of- service against production, and any access to customer data beyond what is necessary to demonstrate a vulnerability.
Data handling
ACIE processes order metadata (instrument, size, side, venue) and account-state metadata (drawdown, exposure, state). We do not store customer position-level P&L, nor do we store any data that is not necessary for the governance decision.
Data residency is selected at deployment, per tenant. Singapore (SGP1), EU (FRA1), and US East (NYC1) are available today. Encryption is TLS 1.3 in transit and AES-256-GCM at rest, with KMS-managed keys rotated quarterly.
Customer data is retained for the duration of the engagement plus the audit-trail minimum (seven years). Deletion is irreversible and verifiable on request.
Personnel & access
All staff complete background checks at hire and annual security training thereafter. Access to production systems is gated by role, requires hardware-key 2FA, and is logged to the same append-only ledger as customer-facing decisions.
No employee has standing access to customer order data. Break-glass access requires dual approval and is reviewed within twenty-four hours.
Incident response
Production incidents are categorised on a four-tier scale. Tier-1 incidents (loss of enforcement, data integrity compromise) trigger pager response with a fifteen-minute acknowledgement target and a sixty-minute initial mitigation target. Tier-2 incidents (degraded enforcement, partial venue outage) target two-hour mitigation.
Affected customers are notified directly and concurrently with public status updates. Post-incident reviews are written for every Tier-1 and Tier-2 incident and shared with affected customers within ten business days.
Contact
- Securitysecurity@vendraholdings.com
- Compliancecompliance@vendraholdings.com
- Privacyprivacy@vendraholdings.com