Skip to Content
Security & Compliance

Security & Compliance

VINCTA is built with security and regulatory compliance at its core. This page outlines our security architecture, data protection measures, and compliance certifications.

Data Security

Encryption

Data at Rest

  • All data encrypted using AES-256 encryption
  • Database-level encryption via Supabase
  • Encrypted backups with separate key management

Data in Transit

  • TLS 1.3 for all API communications
  • HTTPS-only connections (HSTS enabled)
  • Webhook signature verification (HMAC-SHA256)

Key Management

  • Secure key storage with access controls
  • Regular key rotation procedures
  • Separation of encryption keys per client

Data Residency

Infrastructure Location

  • Primary hosting: European Union data centers
  • Database: Supabase EU region
  • Complies with German data sovereignty requirements
  • No cross-border data transfers outside EU/EEA

Data Sovereignty

  • Customer data remains within EU jurisdiction
  • Meets BaFin and GDPR requirements
  • Contractual guarantees for data location

Access Control

Role-Based Access Control (RBAC)

VINCTA implements granular role-based access with four primary roles:

RolePermissionsUse Case
AnalystView cases, investigate alerts, request approvalsFront-line compliance analysts
Senior AnalystAll analyst permissions + escalation handlingExperienced analysts
Compliance Officer (MLRO)All permissions + approve/reject actionsMoney Laundering Reporting Officer
AdministratorFull system access + user managementSystem administrators

Maker-Checker Workflow

  • HIGH/CRITICAL cases require dual approval
  • ALL SAR/STR filings require approval (regardless of risk level)
  • Maker and checker must have different roles (GwG §25)
  • Approval decisions require documented reasoning

Authentication

Passwordless Magic Links

  • Secure, phishing-resistant authentication
  • No password storage or management
  • Email-based verification

Session Management

  • Configurable session timeout (default: 30 minutes)
  • Automatic logout after inactivity
  • Secure session token storage

Multi-Factor Authentication (MFA)

  • Available for all user accounts
  • Recommended for admin and compliance officer roles
  • TOTP-based (Time-based One-Time Password)

Audit & Logging

Immutable Audit Trail

What We Log

  • All user actions (view, create, update, delete)
  • Case status changes with timestamps
  • Approval requests and decisions
  • System access and authentication events
  • Webhook deliveries and processing

Audit Log Features

  • Immutable records (cannot be modified or deleted)
  • 5-10 year retention (configurable per regulatory requirements)
  • Exportable for regulatory audits
  • Searchable and filterable

Compliance Requirements

  • AMLD6 Article 8(1): Document all actions for review
  • GwG §24: Audit trail documentation
  • BaFin MaRisk AT 7.2: IT system documentation

Compliance Certifications

Current Status

GDPR Compliant

  • Data protection by design and default
  • Right to access, rectification, erasure
  • Data portability and processing transparency
  • Privacy policy and data processing agreements

BaFin MaRisk Aligned

  • Risk management framework
  • IT system documentation
  • Change management procedures
  • Data integrity controls

GwG (German AML Law) Compliant

  • Internal safeguards documentation
  • Record retention (5-10 years)
  • Audit trail requirements
  • Maker-checker workflows

In Progress

SOC 2 Type II

  • Target: Q2 2025
  • Security, availability, confidentiality controls
  • Independent audit and certification

ISO 27001

  • Target: Q3 2025
  • Information security management system
  • International standard for security

Vulnerability Management

Security Practices

Code Security

  • Regular dependency updates
  • Automated vulnerability scanning
  • Secure coding standards
  • Code review process

Infrastructure Security

  • Regular security patches
  • Network segmentation
  • DDoS protection
  • Intrusion detection

Incident Response

  • 24/7 security monitoring
  • Incident response plan
  • Breach notification procedures
  • Regular security drills

Responsible Disclosure

Found a security issue? Please report it responsibly:

Email: security@vincta.io
Response Time: Within 24 hours
Disclosure Policy: Coordinated disclosure after fix deployment

Data Protection

GDPR Rights

VINCTA supports all GDPR data subject rights:

  • Right to Access - Export your data
  • Right to Rectification - Correct inaccurate data
  • Right to Erasure - Delete your data (with regulatory exceptions)
  • Right to Portability - Receive data in machine-readable format
  • Right to Object - Object to certain processing activities

Data Protection Officer (DPO)
Email: dpo@vincta.io

Data Processing

Legal Basis

  • Contractual necessity (service delivery)
  • Legal obligation (AML/KYC compliance)
  • Legitimate interest (fraud prevention)

Data Minimization

  • Only collect necessary data
  • Regular data retention reviews
  • Automated deletion of expired data

Third-Party Processors

  • Supabase (database hosting)
  • Vercel (application hosting)
  • All processors are GDPR-compliant with DPAs in place

Regulatory Alignment

European AML Directives

AMLD6 (6th Anti-Money Laundering Directive)

  • Enhanced due diligence for high-risk customers
  • Risk-based approach to compliance
  • Timely suspicious activity reporting
  • 5-year record retention

DORA (Digital Operational Resilience Act)

  • ICT risk management framework
  • Incident reporting procedures
  • Business continuity planning
  • Third-party risk management

German Regulations

GwG (Geldwäschegesetz - German AML Law)

  • Internal safeguards and controls
  • Customer due diligence requirements
  • Beneficial owner identification
  • Transaction monitoring obligations

BaFin Requirements

  • MaRisk AT 7.2: IT system documentation
  • Segregation of duties (maker-checker)
  • Audit trail completeness
  • Data integrity guarantees

Audit Support

For Auditors

VINCTA provides comprehensive audit support:

Audit Trail Exports

  • Complete case history with timestamps
  • User action logs
  • Approval decision records
  • System access logs

Regulatory Reports

  • SAR/STR filing documentation
  • High-risk customer reports
  • SLA compliance reports
  • User activity summaries

Documentation

  • System architecture documentation
  • Security policies and procedures
  • Data flow diagrams
  • Compliance certifications

Audit Preparation

  • Dedicated audit support
  • Evidence gathering assistance
  • Regulatory inquiry response
  • Expert consultation available

Security Inquiries

For security-related questions or concerns:

General Inquiries: security@vincta.io
Compliance Questions: compliance@vincta.io
Data Protection: dpo@vincta.io

Response Time: Within 24 hours for security issues, 48 hours for general inquiries

Updates

This security documentation is reviewed and updated quarterly. Last review: December 2024.

Subscribe to security updates: Contact security@vincta.io

Architecture DiagramsFAQ