Security
Vectis is single-tenant by default — your MSP gets its own database, its own application container, its own subdomain. Every control on this page is shipped today; nothing is aspirational.
Architecture
Tenancy is a deployment boundary. We do not run a shared application that branches on tenant ID — each MSP gets its own container, its own database, its own scheduled jobs.
Each paying MSP gets a dedicated Postgres database. Customer data does not share a DB with any other tenant — there is no row-level multi-tenancy fallback path.
Each MSP runs in its own application container with its own scheduled jobs, on its own subdomain. A bug in one tenant's sync cannot reach another.
TLS 1.2+ on every domain (HSTS enforced). Database disks encrypted at the storage layer. Integration credentials wrapped in AES-256 with a key held outside the database.
Access control
Authorisation runs server-side on every authenticated route. Operator accounts are MFA-required from first login. Production access is least-privilege and reviewed on every personnel change.
TOTP plus recovery codes, forced at first login for every staff user. No opt-out.
Role checks run on every authenticated route. The client UI is not trusted. Admin / analyst / viewer with a declared permission surface.
Cost factor 12 or higher. Rate limiting on sign-in (5 attempts / 15 min). 8-hour inactivity expiry on session cookies (HttpOnly, Secure, SameSite=Strict).
Data handling
The rules engine can write back to your PSA, RMM, and billing systems. To keep that power safe, every action is logged, dry-run is required for new rules, and per-integration rate limits stop runaway loops.
Every write-back to a connected system, every rule execution, every admin action lands in an audit log the application layer cannot delete from.
New rules require dry-run before they can fire against live systems. Per-integration rate limits stop runaway rules. Failed actions land in a dead-letter queue, not an infinite retry.
Migrations track applied state in the DB and walk in monotonic order on every deploy. A failed migration self-heals on the next deploy rather than wedging a tenant in a half-applied state.
Operations
A backup that has never been restored is a hope, not a recovery plan. We verify nightly dumps with a rotating restore-into-scratch check and log the result. Vulnerability reports get acknowledged within three business days.
Customer databases dumped on a nightly schedule, encrypted, and stored separately from the live DB. Weekly restore-into-scratch verification runs against a rotating tenant; results are logged.
Report security issues privately to security@mspvectis.com. We acknowledge within 3 business days and never pursue good-faith researchers who follow responsible-disclosure practices.
If we learn of a security incident affecting customer data, we notify affected customers without undue delay, with the information available about scope and remediation. GDPR statutory 72-hour authority notification where it applies.
Compliance
Trust copy is the easiest thing to over-claim. We don’t.
SOC 2
Controls are modelled on the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). We do not yet hold a SOC 2 report. We will publish a target audit date when one is set; we do not list one today.
GDPR / UK GDPR
We act as a processor for the customer data you route through Vectis; you remain the controller of data about your own end customers and employees. Our Data Processing Addendum governs that relationship; EU-to-US transfers rely on Standard Contractual Clauses.
HIPAA / PCI DSS
Vectis is not designed as a destination for protected health information or cardholder data. We do not sign Business Associate Agreements at this time. Billing is handled by Stripe (PCI DSS Level 1); card data never reaches our systems.
ISO 27001
No certification today. Listed here so you can record it as not-claimed in your vendor review rather than having to ask.
For procurement reviewers
Every control on this page mapped to specific commitments, plus the legal basis for them. Aimed at procurement and security reviewers, not buyers.
DPA available on request — emailed as a counter-signed PDF.
14-day free trial on every plan. Connect a sandbox PSA + RMM, point your security team at it, decide before the charge hits.