Security

You're trusting us with compliance data about your properties and the people who live in them. Here's how we protect it.

Last updated: 16 June 2026

Security is a first-class concern at Vantage. Because we handle sensitive information — tenant and guarantor details, dates of birth, AML screening records and compliance certificates — we apply layered, defence-in-depth controls across our application, data stores and infrastructure. This page summarises our approach and posture.

Encryption

  • In transit: all traffic is served over HTTPS/TLS, with HTTP Strict Transport Security (HSTS) enforced so browsers only ever connect securely.
  • At rest: our managed PostgreSQL database and the object storage holding uploaded documents are encrypted at rest. Passwords are never stored in plain text — only as salted hashes.

Tenant and organisation isolation

Every customer’s data is logically isolated by organisation. The application enforces organisation-scoped access on every request through centralised authorisation helpers, and we apply Postgres Row-Level Security on tenant-scoped tables as an additional, database-level barrier against cross-organisation access. Uploaded documents are namespaced per organisation in private storage.

Access control and authentication

  • Role-based access control within each organisation (owner, admin, member), with state-changing actions restricted to appropriate roles.
  • Strong passwords: we require a minimum of 12 characters and manage sessions with signed, secure cookies.
  • Least privilege: infrastructure credentials are scoped to only the resources and operations the app needs.

Application hardening

  • Cross-site request protection: every state-changing API request is checked for a trusted origin.
  • Security headers: we set HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and a Content-Security-Policy to reduce the impact of common web attacks.
  • Input validation: all API inputs are validated against strict schemas, with request size limits.
  • Rate limiting: sensitive endpoints (sign-in, invites, screening, document serving) are rate limited to deter abuse and brute-force attempts.
  • Signed webhooks and authenticated jobs: incoming billing webhooks are signature-verified and scheduled jobs are protected by an authenticated secret compared in constant time.

Document storage

Compliance documents are stored in a private object-storage bucket with all public access blocked, encryption enabled, and versioning to protect against accidental deletion. Documents are served only to authorised members of the owning organisation through short-lived, access-controlled links — never via public URLs.

Infrastructure and data location

Application data and uploaded documents are hosted in the UK and European Union. Secrets are held only in environment configuration, never committed to source control, and are rotated on a defined schedule and whenever exposure is suspected. Where we use US-based providers, transfers are governed by the UK IDTA or SCCs — see the provider list in our Privacy Policy.

Backups and resilience

Our database provider maintains automated backups with point-in-time recovery, and document storage uses versioning. We monitor application health and errors so we can detect and respond to issues quickly.

Your data, your control

You can export and delete your data. Deleting a property, organisation or account removes the associated records and documents, subject to the retention rules in our Privacy Policy. In the event of a personal-data breach affecting you, we will notify affected customers and the ICO as required by law.

Responsible disclosure

We welcome reports from security researchers. If you believe you’ve found a vulnerability, please email [email protected] with details and steps to reproduce. Please give us a reasonable chance to investigate and fix the issue before any public disclosure, and avoid accessing or modifying data that isn’t yours. We will not pursue researchers who act in good faith and within these guidelines.

Our ongoing commitment

Security is never “done”. We continually review and improve our controls as the product and the threat landscape evolve. If you have questions about our security posture or need to complete a vendor security assessment, contact [email protected].