Vistaly Privacy & Security Fact Sheet

Last Updated: August 2025

Key Documents & Resources

Public Documentation

• 🔒 Security Policy - Our comprehensive security practices
• 📜 Privacy Policy - How we handle your data
• 📋 Terms of Service - Service agreements and terms
• 🌐 GDPR Compliance - GDPR details and rights
• 🏢 Sub-Processors - Third-party services we use
• 🍪 Cookie Policy - Cookie usage and controls
• 📊 System Status - Real-time service status

Available Upon Request

• SOC 2 Type 2 Report - Email support@vistaly.com
• Data Privacy Framework Verification - Search "Vistaly" on DPF List

Business Plan Added Support

Business & Enterprise customers receive additional security support including:

• Data Processing Agreement (DPA) - Custom GDPR-compliant agreements
• Security Architecture Walkthroughs - Technical deep dive sessions
• Custom Security Assessments - Support for your security questionnaires
• Standard Contractual Clauses (SCCs) - For international data transfers
• Dedicated Security Reviews - Annual or on-demand security discussions
• Custom Legal Agreements - Tailored security addendums

1. Data Privacy & Rights

1.1 Your Data Ownership

• You own your data - We never claim ownership of your content
• Full intellectual property rights remain with you
• We only maintain a limited license to operate the service
• License terminates upon content/account deletion

→ See data ownership terms in our Terms of Service: Data Ownership section

1.2 Who Can Access Your Data

Our Employees

• Access granted on least-privilege basis only
• All employees bound by confidentiality agreements
• Multi-factor authentication required
• Quarterly access reviews conducted

→ See full employee security requirements at Security Policy: Internal Security Measures

Third-Party Sub-processors

We maintain transparency about our sub-processors. Key processors include AWS (infrastructure), Stripe (payments), and select analytics/monitoring services.

→ Full list with compliance status at Sub-Processors

1.3 Your Control & Rights

• Export your data anytime
• Delete your account or organization data
• Full GDPR rights: access, correction, deletion, portability, restriction
• Control sharing and access permissions

→ See detailed data control procedures at Privacy Policy: Your Rights section

1.4 Geographic Data Processing

• Primary Infrastructure: United States (AWS)
• International Transfers: Covered by DPF certifications and Standard Contractual Clauses
• Sub-processor Locations: USA, Germany, UK, Italy

2. Data Security

2.1 Encryption

• At Rest: AES-256 encryption for all stored data
• In Transit: TLS 1.2+ for all data transmission
• Backups: Fully encrypted
• Key Management: Enterprise-grade AWS KMS

2.2 Access Controls

• Single Sign-On (SSO) via Google OAuth
• Multi-factor authentication available (enforceable by admins)
• Role-based access control (RBAC)
• API authentication via secure tokens

→ See complete access control specifications at Security Policy: Access & Identity Control

2.3 Infrastructure Security

• AWS certified infrastructure (SOC 1/2/3, ISO 27001/27017/27018/27701)
• DDoS protection and Web Application Firewall
• Production/non-production environment separation
• 24/7 physical security at data centers

→ See infrastructure security details at Security Policy: Cloud Security

2.4 Security Monitoring

• Real-time monitoring and alerting
• Regular vulnerability scanning
• External penetration testing

→ See monitoring practices at Security Policy: Security Monitoring

2.5 Incident Response

• Security Issues: security@vistaly.com
• Data Protection Officer: dpo@vistaly.com
• Data Breaches: GDPR-compliant 72-hour notification
• Status Updates: status.vistaly.com

→ See incident response procedures at Security Policy: Incident Response

2.6 Backup & Recovery

• Daily automated backups
• Geographic redundancy
• Point-in-time recovery available
• 7-year backup retention policy

→ See backup and disaster recovery details at Security Policy: Data Protection

3. Data Isolation

3.1 Architecture

• Workspace-level separation with distinct access controls
• No cross-workspace data access
• SOC 2 Type 2 validated logical access controls
• Separate authentication per organization

3.2 Customer Data Segregation

Vistaly implements comprehensive data isolation to ensure complete separation between customer organizations. Each customer organization's data is strictly separated and protected with dedicated access boundaries. All API endpoints enforce organizational boundaries, preventing any cross-organization data access.

Your team's data is never visible to other Vistaly customers. We implement defense-in-depth strategies with multiple security layers to ensure your organization's data remains completely private and isolated.

Technical architecture details available in Security Architecture Walkthroughs (Business/Enterprise plans)

4. Compliance & Assurance

4.1 Active Certifications

Certification	Scope	Verification
SOC 2 Type 2	Security, Availability, Confidentiality	Available on request
GDPR	Full compliance	Policy
EU-U.S. DPF	Data transfers	Certificate
UK Extension DPF	UK transfers	Certificate
Swiss-U.S. DPF	Swiss transfers	Certificate

4.2 Third-Party Validation

• Independent SOC 2 Type 2 audit
• Regular penetration testing
• Quarterly vulnerability scanning
• AWS infrastructure certifications inherited

4.3 Contractual Commitments

• All Customers: Data Privacy Framework certification
• Business Customers: Custom Data Processing Agreements
• Enterprise: Standard Contractual Clauses, custom security addendums
• Breach Notification: 72-hour commitment per GDPR

5. Operational Security

5.1 Development Security

• Mandatory code review process
• Comprehensive automated testing
• Secure CI/CD pipeline
• Vulnerability scanning for dependencies

→ See development practices at Security Policy: Internal Security Measures

5.2 Employee Security

• Security training and policy acknowledgment required
• Background checks conducted
• Multi-factor authentication mandatory
• Least-privilege access with quarterly reviews

→ See employee security requirements at Security Policy: Internal Security Measures

5.3 Vendor Management

• Risk assessments before data sharing
• Annual review of critical providers
• GDPR compliance verification for all sub-processors

→ See vendor management procedures at Security Policy: Vendor Management

5.4 Business Continuity

• Daily automated backups with 7-year retention
• 99.9% uptime target

→ See business continuity details at Security Policy: Data Protection

5.5 Security Governance

• Designated Data Protection Officer
• Regular security policy reviews
• Formal incident response team
• Executive oversight for critical decisions

→ See governance structure at Security Policy: Security Governance

Contact Us