Trust Center
VAAS is committed to the security and privacy of customer data. Access certifications, controls and security documentation in one place.
VAAS operates a risk orchestration platform for KYC, KYB, KYE and AML, serving regulated institutions. Founded in 2022, it serves more than 70 enterprise clients. We maintain a comprehensive security program, aligned with industry best practices, with encryption at rest and in transit, least-privilege access control, continuous monitoring and formal incident response processes. This portal centralizes our certifications, controls and documentation, available for your security team during a vendor review.
Certifications
Independent audits completed in 2025. Our controls are mapped to internationally recognized standards and Brazilian data protection law.
Available under NDA
Documents available under NDA. Request access for release.
Reports and assessments
- SOC 2 Type 2 Report Restricted
- SOC 1 Type 2 Report Restricted
- Pentest Report Restricted
Security documentation
- Security Whitepaper Restricted
- Security architecture overview Restricted
Policies and privacy
- Information Security Policy Restricted
- Cloud Security Policy Restricted
- Incident Response Plan Restricted
- Business Continuity Policy (BCP/DR) Restricted
- Retention and Disposal Policy Restricted
Security controls monitored, organized by category
Infrastructure and Hosting
5- Cloud infrastructure with international certifications
- Customer data hosted in Brazil
- Network isolation, web application firewall (WAF) and identity access control
- High availability with horizontal scalability
- Regular backups and tested disaster recovery (DR)
Encryption and Data Protection
5- Encryption at rest and in transit
- Encryption key management
- Secrets and credentials in a dedicated vault
- Multi-tenant with logical isolation between customers
- Audit logs with non-repudiation
Detection and Response
5- Continuous monitoring of environments and applications
- Security event correlation (SIEM)
- Endpoint and cloud detection and response (EDR)
- Formalized incident management
- Vulnerability management with SLA by severity
Product Security and Development
5- Mandatory MFA
- Role-based access control (RBAC)
- Single Sign-On (SSO) and identity federation
- Application security (AppSec) in the development cycle
- Annual external pentest
Privacy and Compliance
5- LGPD compliance
- Data Protection Officer (DPO) appointed
- Records of Processing Activities (ROPA)
- Data subject rights fulfillment
- Data retention and disposal policy
Access Governance and People
5- Principle of least privilege
- Cloud access management (IAM)
- Periodic access review
- Awareness training (onboarding and annual)
- Background check and NDA
Transparency history
SOC 2026 recertification cycle started
Kickoff with independent auditor for renewal of SOC 1 and SOC 2 Type 2 reports for the 2026 cycle.
Public status page in deployment
Platform status page for communicating availability and incidents to customers.
SOC audits completed
SOC 1 Type 2 and SOC 2 Type 2 reports issued by an independent auditor.
EDR deployed on endpoints
CrowdStrike Falcon deployed across corporate endpoints, with managed response.
Need documents or an assessment?
Send your request and the VAAS Security team will get back to you with the NDA and the requested materials.
Decide in seconds.
Start with a meeting.
In 15 minutes we show how VAAS works in your scenario, with your rules, your data, your volume.