Vantage Security and Compliance

Product and Data Security

Vantage uses security best practices throughout its application. All users can authenticate with SAML Single Sign-on (SSO) so additional credentials are not needed. Multi-level permissions including RBAC give users team access and management options. Vantage requires 2FA for all staff to access internal systems and requires key rotation and other standard security measures for engineers.

Read Security Documentation

Vantage utilizes a Virtual Private Cloud (VPC) with strict ACLs to prevent network intrusions. Billing data via read-only APIs and cost data is encrypted in transit and at rest. Vantage retains data for up to 36 months depending on pricing tier.

For more information on how user data is handled, please review our Privacy Policy, Service Agreement, and Trust Center.

Compliance

Vantage is SOC 1 Type 2 and SOC 2 Type 2 Compliant

Vantage maintains both SOC 1 Type 2 and SOC 2 Type 2 compliance and our reports are available upon request. Vantage serves a global customer base and is committed to complying with local laws and regulations. Vantage is headquartered in New York City and incorporated under Delaware law.

Request SOC2 Report

Vantage makes use of a limited number of third party subprocessors to support customers and our product. For information on their security practices, please visit the links below.

Security and Vulnerability Disclosure Policy

Overview

We take the security of our systems, products, applications, and customer data seriously. If you believe you have discovered a security vulnerability or other issue, we appreciate responsible reporting so we can fix it quickly and protect all users.

Submissions are accepted on an informational basis only, and by submitting a report you agree that no payment, financial compensation, or bounty is owed. We will respond, triage, and remediate issues where appropriate. We value high-quality, good-faith reports that help improve our security posture and protect our customers.

Report Scope

The following systems and domains are in scope for security vulnerability reporting:

vantage.sh and all subdomains (including console.vantage.sh, docs.vantage.sh, etc.)
Vantage API endpoints

Reports should be related to actual security issues that could affect the confidentiality, integrity, or availability of our systems or data. Examples include, but are not limited to:

Authentication or access control flaws
SQL/command injection or remote code execution
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Insecure direct object references
Sensitive data exposure
Server-side request forgery (SSRF)
XML external entity (XXE) injection
Security misconfigurations

Please do not report:

Content issues (typos/text positioning)
UI/UX suggestions
Feature requests or non-security general feedback
Issues in third-party applications or services not directly controlled by Vantage
Issues that require access to user accounts or credentials
Spam or email deliverability issues

How to Report

If you believe you have found a vulnerability or wish to report an issue, please contact us at security@vantage.sh.

In your report, include as much of the following as possible:

A clear description of the issue
The exact URL, page, API endpoint, or asset where it occurs
Steps to reproduce the vulnerability
Any supporting screenshots, logs, or proof-of-concept code

Note: Do not include sensitive user data or screenshots of actual user accounts.

Terms and Expectations

By submitting a report:

You represent that the research was conducted in good faith and with minimal disruption.
You agree that you will not make the vulnerability details public before we have had a reasonable opportunity to fix them.
You understand that Vantage is not obligated to provide compensation of any kind.

Our security team will acknowledge receipt of your submission as soon as reasonably possible, review and triage the report, and work with you if we need additional clarification.