Security
Your data protection is our priority.
You trust Vastyn with your business operations — your products, orders, inventory, and customer data. We take that responsibility seriously. This page explains how we protect your data and maintain the security of our platform.
Summary
| Area | Our Approach |
|---|---|
| Infrastructure | Hosted on AWS with enterprise-grade security |
| Encryption | All data encrypted in transit and at rest |
| Access Control | Role-based access, multi-factor authentication |
| Data Location | Your data stays in your region |
| Compliance | GDPR compliant, ICO registered |
| Uptime | 99.9% availability commitment |
Infrastructure Security
Enterprise-Grade Cloud Hosting
Vastyn is hosted on Amazon Web Services (AWS), the world's leading cloud platform trusted by millions of businesses.
AWS provides:
- Physical security of data centres (24/7 guards, biometric access)
- Redundant power, cooling, and networking
- Continuous monitoring and threat detection
- Compliance with major security standards
AWS Certifications
Our infrastructure provider maintains:
| Certification | Description |
|---|---|
| ISO 27001 | Information security management |
| ISO 27017 | Cloud security controls |
| ISO 27018 | Protection of personal data in the cloud |
| SOC 1, 2, 3 | Security, availability, and confidentiality |
| PCI DSS Level 1 | Payment card industry standards |
| CSA STAR | Cloud Security Alliance certification |
Regional Data Centres
Your data is stored in the AWS region closest to you:
| Your Location | Data Centre |
|---|---|
| United Kingdom | AWS London (eu-west-2) |
| European Union | AWS Frankfurt (eu-central-1) |
| United States | AWS US regions |
| Other regions | Nearest appropriate region |
Your data does not leave your region unless required for support with appropriate safeguards.
Data Encryption
Encryption in Transit
All data transmitted between your browser and Vastyn is encrypted using TLS 1.2 or higher.
- HTTPS everywhere — All connections are encrypted
- TLS 1.2+ — Modern encryption protocols only
- HSTS enabled — Browsers forced to use secure connections
- Perfect Forward Secrecy — Session keys protected
Encryption at Rest
All data stored on our servers is encrypted using AES-256, the same standard used by governments and banks.
| Data Type | Encryption |
|---|---|
| Database | AES-256 encryption |
| File storage | AES-256 encryption |
| Backups | AES-256 encryption |
| Logs | AES-256 encryption |
Password Security
- Passwords are hashed using bcrypt with strong salt
- We never store plain-text passwords
- We cannot retrieve your password — only reset it
Access Control
Your Account Security
Multi-Factor Authentication (MFA)
- Available for all accounts
- Supports authenticator apps (Google Authenticator, Authy, etc.)
- Strongly recommended for all users
Strong Password Requirements
- Minimum length enforced
- Complexity requirements
- Breached password detection
Session Management
- Automatic session timeout after inactivity
- View and revoke active sessions
- Single sign-out capability
Team Access Controls
Role-Based Access Control (RBAC) — Define roles with specific permissions, limit access to sensitive features, and audit who can access what.
Available Roles:
| Role | Access Level |
|---|---|
| Owner | Full access, billing, user management |
| Admin | Full operational access, no billing |
| Manager | Orders, inventory, products |
| Staff | Limited operational access |
| View Only | Read-only access |
Internal Access Controls
Our team's access to your data:
- Strictly limited to authorised personnel
- Requires business justification
- All access is logged and audited
- Staff undergo security training
- Confidentiality agreements in place
We only access your data when:
- You request support and grant permission
- Required to maintain service operation
- Required by law
Application Security
Secure Development Practices
How we build secure software:
- Security-first development approach
- Code reviews for all changes
- Automated security testing
- Dependency vulnerability scanning
- Regular security assessments
Protection Against Common Threats
| Threat | Protection |
|---|---|
| SQL Injection | Parameterised queries, ORM usage |
| Cross-Site Scripting (XSS) | Input sanitisation, output encoding |
| Cross-Site Request Forgery (CSRF) | CSRF tokens on all forms |
| Broken Authentication | Secure session handling, MFA |
| Sensitive Data Exposure | Encryption, access controls |
API Security
- All API requests require authentication
- Rate limiting to prevent abuse
- Request validation and sanitisation
- Comprehensive audit logging
Data Protection
Backups
Continuous Backups
- Automated backups every hour
- Point-in-time recovery available
- Backups encrypted and stored securely
- Geographically redundant storage
Retention
- Daily backups retained for 30 days
- Enables recovery from data loss or corruption
Data Retention
| Data Type | Retention |
|---|---|
| Account data | Duration of account + 90 days |
| Business data | Duration of account + 90 days |
| Logs | 90 days |
| Backups | 30 days rolling |
When you close your account, your data is deleted within 90 days.
Data Portability
You can export your data at any time:
- Products, inventory, orders
- Standard formats (CSV, Excel)
- Accessible from your dashboard
Monitoring & Incident Response
Continuous Monitoring
24/7 Monitoring:
- Infrastructure health monitoring
- Application performance monitoring
- Security threat detection
- Anomaly detection and alerting
Uptime Commitment:
- 99.9% availability target
- Status page at vastyn.com/status
- Incident notifications for affected users
Incident Response
If a security incident occurs:
- Detection — Automated monitoring identifies issues
- Assessment — Security team evaluates severity
- Containment — Immediate action to limit impact
- Notification — Affected users informed promptly
- Resolution — Root cause identified and fixed
- Review — Post-incident analysis and improvements
Breach Notification: Under GDPR, we will notify you within 72 hours if a breach affects your personal data.
Compliance
GDPR Compliance
Vastyn is fully compliant with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.
Our GDPR measures:
- Lawful basis for all processing
- Data minimisation principles
- Right to access, rectify, delete your data
- Data Processing Agreements available
- Privacy by design in our development
ICO Registration: 00019463104
Data Processing
For business customers who need formal documentation:
- Data Processing Agreement (DPA) — Available on request
- Subprocessor list — View our subprocessors
- Data location — Confirmed in your region
Contact hello@vastyn.com for compliance documentation.
Third-Party Security
Subprocessors
We carefully select third-party services that meet our security standards:
| Provider | Purpose | Security |
|---|---|---|
| AWS | Infrastructure | SOC 2, ISO 27001, PCI DSS |
| Stripe | Payments | PCI DSS Level 1 |
| AWS SES | SOC 2, ISO 27001 |
Full list: Subprocessors
Marketplace Connections
When you connect marketplaces (Amazon, eBay, etc.):
- We use official APIs only
- OAuth authentication (no passwords stored)
- Minimum required permissions
- Secure token storage
Your Security Responsibilities
Security is a shared responsibility. We recommend:
Account Security
- Enable Multi-Factor Authentication (MFA)
- Use a strong, unique password
- Don't share your login credentials
- Review active sessions regularly
- Remove access for former team members promptly
Operational Security
- Use role-based access for team members
- Regularly review user permissions
- Keep your connected marketplace credentials secure
- Report suspicious activity immediately
Reporting Security Issues
Responsible Disclosure
If you discover a security vulnerability, please report it to us:
Email: security@vastyn.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
Our commitment:
- Acknowledge receipt within 24 hours
- Investigate promptly
- Keep you informed of progress
- Credit reporters (if desired) once resolved
Please do not:
- Access other users' data
- Disrupt service availability
- Publicly disclose before we've addressed the issue
Frequently Asked Questions
Where is my data stored?
Your data is stored in the AWS region closest to you (UK, EU, or US). Data does not leave your region except where necessary for support with appropriate safeguards.
Is my data encrypted?
Yes. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed and cannot be retrieved.
Who can access my data?
Only authorised Vastyn personnel with a business need can access your data. All access is logged. Your team members have access based on the roles you assign.
What happens if there's a security breach?
We will notify affected users within 72 hours as required by GDPR. We will explain what happened, what data was affected, and what actions we're taking.
Do you have security certifications?
Our infrastructure provider (AWS) maintains ISO 27001, SOC 2, and PCI DSS certifications. Vastyn follows security best practices aligned with these standards.
Can I get a Data Processing Agreement?
Yes. Contact hello@vastyn.com and we'll provide a DPA for your records.
Contact
For security questions or to report an issue:
Security issues: security@vastyn.com
General enquiries: hello@vastyn.com
Post:
Versatile Commerce Ltd
Maritime House, Discovery Quay
Falmouth, Cornwall
TR11 3XA
United Kingdom
Document Information
| Field | Value |
|---|---|
| Document: | Security Overview |
| Provider: | Versatile Commerce Ltd |
| Company Number: | 10984996 |
| ICO Registration: | 00019463104 |
| Last Updated: | January 2026 |