Security & Compliance Pack

VendorCheck Pro is designed to help schools and organisations manage vendor compliance with a strong focus on security, access control, auditability, and data governance. This page summarises how the platform is structured today, how access is controlled, how customer data is handled, and what supporting documents are available during due diligence.

We are also currently in the process of obtaining IASME Cyber Assurance certification as part of our ongoing commitment to strengthening security controls, demonstrating good cybersecurity practices, and supporting customer due diligence requirements.

1. Security Overview

Vendor Check Pro is designed as an internet-accessible B2B platform for authorised customer and administrative users. Access is restricted to approved accounts, and the platform is structured to support secure handling of vendor compliance records, uploaded documents, and organisation-level workflows.

Our approach focuses on practical controls, including:

  • named user access

  • role-based permissions

  • organisation-level data separation

  • auditability of key actions

  • documented access review and removal processes

  • secure hosting and endpoint controls

  • retention and deletion controls

  • incident handling and follow-up procedures

Security controls are intended to support day-to-day operational discipline as well as formal customer due diligence.

2. Access Control and Permissions

Access to Vendor Check Pro is restricted to authorised users only. Customer organisations control access for their own approved users, and internal administrative access is limited to named individuals with a defined business need.

Current access principles include:

  • no public self-registration for platform access

  • named user accounts

  • no shared administrative accounts

  • role-based access control

  • least-privilege access by role

  • administrative access limited to authorised users

  • periodic review of privileged access

  • removal of access when no longer required

Customer-facing roles and internal roles are separated so that users only see the information and functions appropriate to their responsibilities.

3. Authentication and Account Security

Vendor Check Pro uses controlled authentication measures to protect access to customer data and administrative functions.

Current controls include:

  • password-based authentication for authorised accounts

  • two-factor authentication for defined organisation-level roles

  • account lockout after repeated failed login attempts

  • password rules enforced at account creation and password change

  • session expiry after a period of inactivity

Passwords are not stored in plain text. Authentication events and related security actions are logged as part of the platform’s operational controls.

4. Organisation-Level Data Separation

Vendor Check Pro is designed to support strict separation between customer organisations. Users should only be able to access data associated with their own organisation and approved role.

This includes:

  • organisation-level segregation of records

  • role-based visibility within an organisation

  • restricted access to uploaded documents

  • separation of customer data from internal administration functions

This is intended to reduce the risk of cross-organisation visibility and support customer governance requirements.

5. Hosting and Infrastructure

Vendor Check Pro is hosted on a managed VPS environment through InterServer in Canada. The live production environment and uploaded document storage are managed within that hosted environment.

Current infrastructure controls include:

  • firewall controls with default deny incoming policy

  • restricted inbound access based on business need

  • HTTPS for application access

  • controlled administrative access

  • disabled password-based SSH login

  • restricted server administration practices

  • encrypted endpoint and device controls for administrative users

Uploaded files are stored outside the web application directory and are not intended to be publicly accessible directly.

6. Document Security and Sensitive Records

Vendor Check Pro is designed to handle vendor compliance documents and related records in a controlled way. Depending on customer use, these records may include identity documents, safeguarding-related records, certificates, licences, and supporting compliance evidence.

Document handling controls include:

  • restricted access by organisation and role

  • controlled upload and review workflows

  • encryption of documents in transit using HTTPS/TLS

  • encryption of documents at rest within storage systems

  • secure storage practices

  • auditability of key actions

  • retention and deletion controls

  • removal of public access to stored files

Customers remain responsible for deciding what data they require vendors to submit and for ensuring their own use of the platform aligns with their legal and policy obligations.

7. Audit and Activity Logging

Vendor Check Pro is designed to support auditability of key actions across the platform.

This includes logging of actions such as:

  • uploads

  • approvals and rejections

  • status changes

  • access-related actions

  • administrative activity where relevant

Auditability supports internal governance, customer oversight, and follow-up where issues or disputes arise.

8. Data Protection and Privacy

Vendor Check Pro is intended to support customers in managing vendor compliance information responsibly. Customer organisations typically determine what vendor information they require and why. In that context, customers are generally responsible for the decisions they make about the personal data they collect and manage through the service.

Vendor Check Pro acts as a service provider in connection with the platform and related support activities. Customer data is used only to deliver, maintain, support, and secure the service.

We do not sell customer data. We do not use customer data for unrelated advertising purposes.

Where customer operations are subject to applicable privacy laws, including UAE data protection requirements where relevant, Vendor Check Pro is intended to support compliance through access control, data segregation, retention controls, auditability, and documented processing arrangements.

9. Retention, Export, and Deletion

Customer data is retained only for as long as needed to provide the service, meet legal or contractual obligations, resolve disputes, or enforce agreements.

Where a customer relationship ends:

  • customer access may be withdrawn in line with the applicable agreement

  • data export can be supported where agreed

  • data deletion is carried out in line with the applicable retention and deletion process

Any specific retention periods, export arrangements, or deletion timelines should be governed by the relevant contractual and privacy documentation.

10. Administrative Access Review and Removal

Administrative and privileged access is controlled through named accounts and defined responsibilities. Access is reviewed periodically and removed when no longer required.

Current administrative access practices include:

  • named privileged accounts

  • no shared admin accounts

  • defined business need for privileged access

  • review of privileged access at regular intervals

  • removal or reduction of access where roles change or access is no longer needed

These controls are intended to support accountability and reduce the risk of unnecessary privileged access remaining in place.

11. Endpoint and Device Security

Administrative access to business systems is performed through controlled user devices. Endpoint security measures support access to hosting, email, storage, and business platforms.

Current endpoint controls include:

  • device firewall enabled

  • disk encryption enabled on relevant devices

  • malware protection enabled on relevant devices

  • software installation restricted by administrative credentials

  • supported software only

  • automatic updates where available

  • secure configuration review of in-scope devices

These controls help reduce the risk of unauthorised software installation, malware, and insecure device access to business systems.

12. Incident Response

Vendor Check Pro maintains an incident handling approach intended to support identification, investigation, containment, and follow-up where security issues arise.

This includes:

  • reporting and escalation of suspected incidents

  • investigation and containment activity

  • review of affected systems or accounts

  • corrective actions where required

  • customer notification where required by law, contract, or risk level

Incident handling is intended to support both operational response and improvement of controls over time.

13. Service Providers and Platforms

Vendor Check Pro relies on a number of third-party service providers and platforms to operate and support the service. These may include providers for:

  • application hosting

  • website hosting

  • email

  • domain and DNS administration

  • storage and collaboration

  • CRM

  • accounting and payments

  • banking

  • approved internal tooling

A current provider list can be made available as part of due diligence and customer review processes.

14. Assurance Status

Vendor Check Pro’s security and compliance documentation is being actively developed and maintained to support customer due diligence, governance reviews, and operational control.

Current work includes:

  • documented asset and service registers

  • access control records

  • review notes for technical controls

  • security and acceptable use policies

  • password and authentication policy

  • access removal and offboarding procedure

  • evidence gathering for Cyber Essentials / IASME-related readiness

This means our position is based on documented controls and current operating practices, not on marketing language alone.

15. Key Documents

The following documents may be available to support review and onboarding:

  • Privacy Policy

  • Data Processing Agreement

  • Terms of Service

  • Security and Compliance documentation

  • supporting due diligence responses where appropriate

Availability may depend on the stage of discussion, customer requirements, and the type of review being undertaken.

16. UAE PDPL

Vendor Check Pro is designed with security, access control, auditability, and data governance in mind. Where customer operations are subject to UAE data protection requirements, including the UAE Personal Data Protection Law, we support compliance through role-based access, data segregation, auditability, retention controls, and documented processing arrangements.

17. Contact

If you are reviewing Vendor Check Pro as part of procurement, due diligence, or customer onboarding, you can contact us for further information regarding:

  • security controls

  • data handling

  • privacy and processing arrangements

  • service providers

  • access control approach

  • onboarding and operational governance

Contact: info@vendorcheckpro.com