Trust center

Trust, security & privacy

This page is maintained by Vanta Commerce to answer common security and privacy questions about our CRO audit product. It is editable project content, not an independent certification or third-party attestation. Last updated June 21, 2026.

Shared responsibility

How responsibility is split

Vanta Commerce operates the application, the audit pipeline, and customer-facing copy. Our hosting and backend platform provides the underlying infrastructure, managed database, authentication primitives, and storage. Customers are responsible for the URLs and email addresses they submit, and for keeping access to their own inbox secure.

Access & authentication

Who can see what

Audit records are stored in our managed database with row-level security enabled and a default-deny policy for client traffic. Reads and writes to audit data happen only through server-side code we control, never directly from the browser.

Audit results are delivered by emailing a unique link tied to the audit ID. Treat that link like a password — anyone with the link can view that specific audit.

Data we collect

What we store and why

  • The page URL you submit, so we can fetch and analyze it.
  • Your email address, so we can deliver the audit and follow up about your order.
  • Screenshots and AI-generated findings produced from your submission, stored in private buckets.
  • For paid audits, a payment session reference from our payment processor. We never see or store full card numbers.

Subprocessors

Services that help us run

We use a small set of vendors to run the product. Each is used for a single, narrow purpose:

  • Managed backend & database hosting for audit records.
  • An AI model provider to generate audit findings.
  • A screenshot service to capture the page being audited.
  • A payment processor for paid audits.
  • Email delivery for audit results and transactional messages.
  • Analytics and session tooling (Google Analytics, Microsoft Clarity, Tawk.to) for product improvement and support.

Cookies & analytics

Tracking on this site

We use a consent banner and default Google Analytics consent flags to "denied" until you opt in. Analytics is configured with IP anonymization and without automatic page views before consent.

Retention & deletion

Removing your data

If you want your audit, email address, or any associated screenshots removed, email hello@vantacommerce.com from the address the audit was sent to and we will delete it.

You can also unsubscribe from any of our marketing emails using the link in the footer of those messages, or by visiting /unsubscribe.

Security contact

Reporting a vulnerability

If you believe you have found a security issue, please email hello@vantacommerce.com with reproduction steps. Please do not publicly disclose the issue until we have had a chance to investigate.

Compliance

What we do and don't claim

Vanta Commerce is not currently certified under SOC 2, ISO 27001, HIPAA, PCI-DSS, or GDPR adequacy frameworks, and nothing on this page should be read as such a certification. If your organization needs a specific compliance posture before purchasing, email us and we will tell you honestly where we stand.