Skip to content
Vestval

Trust Center

Compliance Approach

How Vestval structures its controls, evidence and audits so enterprise procurement can move with confidence.

Overview

Compliance at Vestval is treated as an engineering output, not a paperwork exercise. Controls are implemented in code and infrastructure first, then mapped to the frameworks our customers care about — so evidence is a byproduct of how we operate rather than a scramble before an audit.

We align our control environment to widely recognized frameworks including SOC 2 principles, ISO 27001 domains and GDPR obligations, and we support customer-specific control mappings during vendor onboarding.

What this covers

Control mapping

A single internal control set mapped to SOC 2, ISO 27001 and GDPR so one control satisfies many framework requirements.

Evidence automation

Access reviews, change logs and configuration state are captured continuously, so audit evidence is generated automatically.

Policy lifecycle

Security and privacy policies are versioned, reviewed on a schedule and acknowledged by staff, with an auditable trail.

Third-party audits

We support independent assessment and share reports under NDA as part of enterprise diligence.

Questionnaire response

SIG, CAIQ and bespoke security questionnaires are answered from a maintained knowledge base for fast turnaround.

Regulatory tracking

We monitor changes in applicable regulation and adjust controls before deadlines rather than after.

How it works

  1. 1

    Controls are implemented in infrastructure and application code with ownership assigned.

  2. 2

    Each control is mapped to the relevant clauses of the frameworks customers require.

  3. 3

    Evidence is collected continuously and reviewed on a defined cadence.

  4. 4

    Independent assessors validate the control environment and reports are shared under NDA.

FAQ

Frequently asked

  • We align our control set to SOC 2 trust principles, ISO 27001 domains and GDPR obligations, and we support customer-specific mappings during onboarding.