Vintrip Labs

Security

Security at Vintrip Labs

We take the security of our own operations and client data as seriously as our clients take theirs. The following is a summary of our security posture; a fuller version is available to prospective clients under NDA.

Certifications and frameworks

  • ISO 27001:2022 (certified, BSI)
  • SOC 2 Type II (in progress, expected Q3 2026)
  • Cyber Essentials Plus (certified, UK delivery arm)
  • PCI DSS not applicable — we do not process cardholder data

Data protection

All client data is processed in line with the EU General Data Protection Regulation and the Singapore Personal Data Protection Act. Engagement data is hosted on infrastructure in Singapore (primary) and Frankfurt (secondary), both AWS regions. We do not transfer client data to the United States; the US subprocessor list is intentionally empty.

Vulnerability disclosure

We welcome reports of security issues affecting our systems. To report a vulnerability, see our security.txt file or write to security@vintriplabs.com. We commit to acknowledging reports within two working days and to a coordinated disclosure timeline of up to 90 days, extendable by agreement.

Penetration testing

Our infrastructure is independently tested annually by a CREST-accredited assessor. The latest assessment was completed in Q1 2026 (assessor: a CREST-accredited UK firm); an executive summary is available to prospective clients on request under NDA.

Subprocessors

A current list of our subprocessors is available on request to clients under NDA. Updates to the list are notified by email with 30 days' notice.