Skip to main content

How CyberVadis protects your data: overview

Get a clear overview of how CyberVadis keeps your uploaded evidence and assessment data secure, who controls access to your documents, and where to find more detailed technical information.

Written by Ana Nikolaeva

Uploading sensitive security documentation to a third-party platform requires trust. This article summarises how CyberVadis protects your data from the moment you upload it to the moment it is deleted.

For full technical details, see [How your data is stored, transported, and accessed: technical detail].

Your data is yours

The documents and assessment results you provide belong to you. CyberVadis uses your data exclusively for the purpose of conducting your assessment. We do not scan your data for marketing purposes, sell it to third parties, or use it for any purpose beyond our contractual obligations.

Third parties can only access your results or documents if you explicitly grant them permission. You control the visibility of every document you upload: each file can be set to share with requesting clients or kept strictly for internal review by CyberVadis analysts. See [How to change the sharing settings for your evidence documents].

How your data is protected

CyberVadis applies the following protections to all customer documents:

  • Encrypted in transit using TLS 1.3, enforced end-to-end

  • Encrypted at rest using AES-256 on every storage layer, with a unique encryption key per customer

  • Least-privilege, just-in-time access so only named analysts can access your documents during active review periods

  • Full audit logging of all access to infrastructure resources, subject to periodic forensic review

  • Mandatory MFA on all platform accounts, secured via Auth0

Infrastructure and certifications

CyberVadis services are hosted on Microsoft Azure data centers located within the European Union. Our hosting infrastructure holds the following certifications: ISO/IEC 27001, ISO/IEC 27018, SOC 1, and SOC 2.

CyberVadis itself is ISO 27001 certified and GDPR compliant. Our internal security practices include continuous employee training, weekly automated vulnerability scans, and an annual independent penetration test.

AI and your data

CyberVadis uses AI features to support the assessment process. Our commitments regarding AI data handling are:

  • Your document content is never used to train our AI models

  • AI processing of your documents is transient and nothing is stored beyond the transaction

  • Any AI feature can be opted out of at any time

For full details, see [How your data is stored, transported, and accessed: technical detail].

Security incidents

In the event of a security incident that may affect the confidentiality of your data, CyberVadis will notify you as soon as possible and no later than 72 hours after we become aware of the occurrence.

Document retention and deletion

Your documents are retained for the duration of your subscription plus up to three years per GDPR. You can request deletion at any time by contacting support@cybervadis.com. Deletion from active systems is completed within 3 business days. See [Document retention: how long CyberVadis keeps your files] for full details.

Further resources

For a full overview of our security certifications and compliance documentation, visit the CyberVadis Trust Center.

To report a security or confidentiality concern, see [How to report a security or confidentiality concern].

Related Articles
What are the benefits of the CyberVadis assessment for your company?
How does CyberVadis evaluate your company? The assessment methodology
Glossary: key terms used in the CyberVadis assessment
Why evidence matters and what types are accepted
How your data is stored, transported, and accessed: technical detail
Did this answer your question?