Security & Compliance
Security is baked into everything we do. We follow stricter security protocols than industry best practices and have a strong security posture, to ensure that our customers never need to worry about security and compliance.
All communications between customers and the Vital's APIs and web applications are secured using TLS 1.2 or TLS 1.3. Encryption is also employed for all communication between internal Vital's services as well as external. Data persisted by the Vital service is encrypted at rest using 256-bit AES.
Vital utilizes API token authentication for API access. API tokens can be safely rotated to ensure operational continuity even when API keys are suspected to be compromised.For access to the Vital dashboard, Vital uses short-lived JWT tokens so that even if leaked, they will have limited value.
Vital has processes and policies in place to ensure the business continuity of its systems and operational. Production systems all have redundancies, and are configured for automatic failover and automatic scaling. The Vital team undergoes yearly business continuity training, and disaster recovery practice.
Vital has successfully completed a SOC 2 Type I audit of our product, infrastructure, and policies, done by a third party auditor; a HIPAA; and is GDPR and CCPA compliant. Vital also lets its customers choose which region they operate in to comply with data locality regulations. Vital undergoes yearly penetration tests using a third party firm, and employs automatic code and network security scanners that continuously verify the security of its code, servers, and networks.