Login

Trust Center

VAAS is committed to the security and privacy of customer data. Access certifications, controls and security documentation in one place.

30
Monitored controls
SOC 1·2
Audited in 2025
LGPD
Compliant · DPO and ROPA
GCP
Google Cloud infrastructure
Overview

VAAS operates a risk orchestration platform for KYC, KYB, KYE and AML, serving regulated institutions. Founded in 2022, it serves more than 70 enterprise clients. We maintain a comprehensive security program, aligned with industry best practices, with encryption at rest and in transit, least-privilege access control, continuous monitoring and formal incident response processes. This portal centralizes our certifications, controls and documentation, available for your security team during a vendor review.

Compliance

Certifications

Independent audits completed in 2025. Our controls are mapped to internationally recognized standards and Brazilian data protection law.

SOC 1 Type II
Controls relevant to customers' internal control environment. Type 2 audit completed (report Dec/2025).
Audited
SOC 2 Type II
Trust Services Criteria (AICPA): security, availability and confidentiality. Type 2 audit completed (report Dec/2025).
Audited
LGPD
Law 13,709/2018. DPO appointed, ROPA maintained and retention policy implemented.
Compliant
Controls mapped toISO/IEC 27001:2022ISO/IEC 27701NIST CSFCIS Controls
Documents

Available under NDA

Documents available under NDA. Request access for release.

Reports and assessments

  • SOC 2 Type 2 Report Restricted
  • SOC 1 Type 2 Report Restricted
  • Pentest Report Restricted

Security documentation

  • Security Whitepaper Restricted
  • Security architecture overview Restricted

Policies and privacy

  • Information Security Policy Restricted
  • Cloud Security Policy Restricted
  • Incident Response Plan Restricted
  • Business Continuity Policy (BCP/DR) Restricted
  • Retention and Disposal Policy Restricted
Controls

Security controls monitored, organized by category

30security controls monitored, mapped to ISO/IEC 27001, ISO/IEC 27701, NIST CSF and CIS Controls

Infrastructure and Hosting

5
  • Cloud infrastructure with international certifications
  • Customer data hosted in Brazil
  • Network isolation, web application firewall (WAF) and identity access control
  • High availability with horizontal scalability
  • Regular backups and tested disaster recovery (DR)

Encryption and Data Protection

5
  • Encryption at rest and in transit
  • Encryption key management
  • Secrets and credentials in a dedicated vault
  • Multi-tenant with logical isolation between customers
  • Audit logs with non-repudiation

Detection and Response

5
  • Continuous monitoring of environments and applications
  • Security event correlation (SIEM)
  • Endpoint and cloud detection and response (EDR)
  • Formalized incident management
  • Vulnerability management with SLA by severity

Product Security and Development

5
  • Mandatory MFA
  • Role-based access control (RBAC)
  • Single Sign-On (SSO) and identity federation
  • Application security (AppSec) in the development cycle
  • Annual external pentest

Privacy and Compliance

5
  • LGPD compliance
  • Data Protection Officer (DPO) appointed
  • Records of Processing Activities (ROPA)
  • Data subject rights fulfillment
  • Data retention and disposal policy

Access Governance and People

5
  • Principle of least privilege
  • Cloud access management (IAM)
  • Periodic access review
  • Awareness training (onboarding and annual)
  • Background check and NDA
Updates

Transparency history

18 Jun 2026

SOC 2026 recertification cycle started

Kickoff with independent auditor for renewal of SOC 1 and SOC 2 Type 2 reports for the 2026 cycle.

Q2 2026

Public status page in deployment

Platform status page for communicating availability and incidents to customers.

Dec 2025

SOC audits completed

SOC 1 Type 2 and SOC 2 Type 2 reports issued by an independent auditor.

Mar 2025

EDR deployed on endpoints

CrowdStrike Falcon deployed across corporate endpoints, with managed response.

Request access

Need documents or an assessment?

Send your request and the VAAS Security team will get back to you with the NDA and the requested materials.

Response within 2 business days
VAAS Security team

By submitting, you agree to the processing of your data in accordance with the VAAS Privacy Policy.

Ready?

Decide in seconds.
Start with a meeting.

In 15 minutes we show how VAAS works in your scenario, with your rules, your data, your volume.

Explore the platform