Home/Security
SECURITY & COMPLIANCE

Your Contract Data Is Confidential by Architecture

We are SOC 2 Type II certified, GDPR compliant, and NDA-protected. Your contract submission data is anonymized the moment it enters our platform — your vendor will never know you benchmarked them.

SOC 2 Type II Certified GDPR Compliant NDA Protected AES-256 Encryption Zero Vendor Disclosure
CERTIFICATIONS

What We're Certified and Audited For

Third-party verified. Audited annually. No self-assessments.

SOC 2
TYPE II
SOC 2 Type II
Annual third-party audit covering security, availability, processing integrity, confidentiality, and privacy. Full report available to enterprise customers under NDA.
GDPR
ART. 25
GDPR Compliant
Privacy by design and by default. Data minimization enforced. EU Standard Contractual Clauses available. Right to erasure honored within 30 days of request.
NDA
PROTECTED
NDA-Protected Workflow
Every enterprise engagement can be wrapped in a mutual NDA. We accept client-provided NDAs or offer our own. Executed before any contract data is shared.
Abstract visualization of encrypted data flowing through secure network connections
DATA ANONYMIZATION

Your Vendor Doesn't Know You Benchmarked Them

This is the question Fortune 500 procurement teams ask us most. The concern is real: if Oracle finds out you're using third-party benchmark data, will they retaliate? Will they flag your account? Will they change your pricing?

The answer: they will never know. Here's why.

  • All submitted contract data is stripped of identifying information before it enters our analysis pipeline. Company name, account ID, contract reference numbers — all removed at ingestion.
  • We never contact your vendor on your behalf, never share your submission with any third party, and never publish individual transaction data.
  • Benchmark outputs contain only aggregated, normalized percentile ranges derived from 10,000+ comparable transactions.
  • We have zero financial relationship with any software vendor. No referral fees. No co-marketing. No shared accounts.
  • Our infrastructure does not integrate with any vendor CRM, support portal, or account management system.
HOW YOUR DATA FLOWS

From Submission to Benchmark — What Happens at Each Step

Every data point follows the same anonymization and security pipeline before it touches our analysis engine.

01
Encrypted Submission
Proposals and contract data are submitted via TLS 1.3 encrypted connection. Files are stored in AES-256 encrypted storage with access restricted to the assigned analyst only.
02
Immediate Anonymization
Upon ingestion, all company-identifying fields are automatically stripped. Contract metadata is replaced with anonymized tokens. Original identifying data is not retained in the analysis pipeline.
03
Normalization & Categorization
Anonymized transaction data is normalized for deal size, product mix, industry vertical, and renewal vs. new purchase context. This ensures comparisons are apples-to-apples across enterprise segments.
04
Aggregate-Only Publication
Only percentile ranges and aggregated discount statistics are published in benchmark outputs. Minimum cohort size of 30 comparable transactions required before any data point is included in a report.
05
Access-Controlled Report Delivery
Benchmark reports are delivered via authenticated, access-controlled links. Reports expire after 90 days unless saved to the platform. Audit logs track all report access events.
06
Retention & Deletion
Raw submission files are deleted from our systems after benchmark analysis is complete, typically within 30 days of delivery. Anonymized data points are retained for aggregate analysis. Customers may request deletion of all associated data at any time.
Network security monitoring interface showing encrypted data connections
TECHNICAL CONTROLS

Enterprise-Grade Infrastructure Security

VendorBenchmark is built on AWS infrastructure with multiple layers of access control, encryption, and monitoring. Our security posture is verified annually by independent auditors.

  • Encryption at rest and in transit: AES-256 for all stored data. TLS 1.3 for all data in transit. Key management via AWS KMS.
  • Access control: Role-based access control (RBAC) with least-privilege principles. Multi-factor authentication required for all internal system access.
  • Network security: VPC isolation. WAF protection. DDoS mitigation. No direct public access to data stores.
  • Monitoring & alerting: 24/7 automated threat detection. Security event logging with 12-month retention. Incident response SLA: 4-hour acknowledgment for critical events.
  • Vulnerability management: Quarterly penetration testing by third-party firm. Automated dependency scanning in CI/CD pipeline.
  • Business continuity: Data replicated across multiple availability zones. RTO: 4 hours. RPO: 1 hour.
COMPLIANCE STATUS

Current Compliance Framework

As of Q1 2026. Enterprise customers may request full compliance documentation.

Framework Scope Status Last Audited
SOC 2 Type II Security, Availability, Confidentiality, Privacy Active December 2025
GDPR EU personal data processing, data subject rights Active Continuous
CCPA California consumer privacy rights Active Q3 2025
ISO 27001 Information security management system In progress Target: Q3 2026
Pen Testing External application and network penetration testing Active Q4 2025
SECURITY QUESTIONS?

Need the Full SOC 2 Report or Custom DPA?

Enterprise customers can request our full SOC 2 Type II audit report, execute a custom Data Processing Agreement, or arrange a security review call with our CISO. Contact us to get started.

Request Security Documentation Execute NDA First