This article provides a detailed technical explanation of how CyberVadis handles your uploaded documents and assessment data. For a plain-language overview, see [How CyberVadis protects your data: overview].
Data classification
All customer data uploaded to CyberVadis is classified as confidential from the moment it leaves your browser. This classification applies five rules without exception:
Strong transport encryption (TLS 1.3 enforced end-to-end, RSA 2048-bit certificates, strongest cipher suites negotiated first)
Customer-unique key encryption (each document encrypted with a single-use Content Encryption Key)
Encryption at rest (AES-256 on every Azure storage layer, per-customer key held in Azure Key Vault)
Least-privilege, just-in-time access (access granted only to named analysts, only during active review periods)
Full auditability (every infrastructure action logged and subject to periodic forensic review)
How documents are encrypted: envelope encryption
Every document you upload is protected by two layers of encryption:
A Content Encryption Key (CEK) is generated by the Azure Storage client SDK. This is a single-use, symmetric key scoped to one document.
Your document is encrypted with that CEK. The unencrypted document never touches CyberVadis storage.
The CEK is itself encrypted with a Key Encryption Key (KEK) stored in Azure Key Vault. The storage client invokes the KEK's wrapping algorithm but never reads the KEK directly.
The encrypted document and the wrapped CEK are uploaded to Azure Storage together.
This means that even if storage were compromised, an attacker would have access only to encrypted data and a wrapped key, not the underlying documents.
How data is transported
All data in transit is protected by TLS 1.3, enforced end-to-end. RSA 2048-bit certificates are used and the strongest available cipher suites are negotiated first.
How data is stored
CyberVadis services are hosted on Microsoft Azure data centers located within the European Union. These data centers hold ISO/IEC 27001, ISO/IEC 27018, SOC 1, and SOC 2 certifications.
Encryption at rest is enforced by default on all Azure storage layers using AES-256. Each customer's data uses a unique encryption key stored in Azure Key Vault, accessible only to named CyberVadis staff.
How documents are accessed during review
During the expert analysis stage, your documents are temporarily shared in a secure Google Workspace environment so our analysts can review them. The following controls apply during this period:
Documents remain encrypted at every step
Analyst access is online-only with no ability to download or modify documents
The shared workspace is automatically deleted 24 hours after the review is validated
In rare cases where a download is required (for example, to translate an image-based document), a senior security analyst must approve the request. The document is destroyed immediately after processing.
Access controls and authentication
CyberVadis logically isolates each customer's data from all other customers. Access to customer data and encryption keys is restricted to a small group of named CyberVadis employees. The following controls govern access:
Role-based access control (RBAC) with strict need-to-know and least-privilege enforcement
Two-factor authentication required for all production accounts
Authentication for all platform services is managed via Auth0, using OAuth 2 with mandatory MFA
API access is granted on demand using tenant-scoped tokens. No multi-tenant API access is permitted.
All infrastructure access is logged and subject to periodic audits and forensic review
Security incident notification
In the event of a security incident that may affect the confidentiality of your data, CyberVadis will notify you as soon as possible and no later than 72 hours after we become aware of the occurrence.
Third-party sub-processors
All data processing is performed within CyberVadis-controlled infrastructure. A limited set of contractually bound sub-processors supports specific functions:
Microsoft Azure (EU) for infrastructure and storage
Google Workspace (EU) for the encrypted analyst review environment
Auth0 (EU) for authentication
Each sub-processor operates under GDPR Article 28 terms. No customer data is sold, shared for marketing purposes, or transferred outside the scope of our contractual obligations.
AI data handling
CyberVadis uses AI features to support certain aspects of the assessment process. The following commitments apply to all AI features:
Your document content is never used to train our AI models
AI processing of your documents is transient. Nothing is stored beyond the transaction.
Any AI feature can be opted out of at any time
Data retention and deletion
Documents are retained for the duration of your subscription agreement plus up to three years per GDPR. On request, documents are deleted from active systems within 3 business days and from offline backups within 120 days. You can retrieve your data at any time, free of charge.
For full details on retention and deletion, see [Document retention: how long CyberVadis keeps your files].