Trust center
Trust, security & privacy
This page is maintained by Vanta Commerce to answer common security and privacy questions about our CRO audit product. It is editable project content, not an independent certification or third-party attestation. Last updated June 21, 2026.
Shared responsibility
How responsibility is split
Vanta Commerce operates the application, the audit pipeline, and customer-facing copy. Our hosting and backend platform provides the underlying infrastructure, managed database, authentication primitives, and storage. Customers are responsible for the URLs and email addresses they submit, and for keeping access to their own inbox secure.
Access & authentication
Who can see what
Audit records are stored in our managed database with row-level security enabled and a default-deny policy for client traffic. Reads and writes to audit data happen only through server-side code we control, never directly from the browser.
Audit results are delivered by emailing a unique link tied to the audit ID. Treat that link like a password — anyone with the link can view that specific audit.
Data we collect
What we store and why
- The page URL you submit, so we can fetch and analyze it.
- Your email address, so we can deliver the audit and follow up about your order.
- Screenshots and AI-generated findings produced from your submission, stored in private buckets.
- For paid audits, a payment session reference from our payment processor. We never see or store full card numbers.
Subprocessors
Services that help us run
We use a small set of vendors to run the product. Each is used for a single, narrow purpose:
- Managed backend & database hosting for audit records.
- An AI model provider to generate audit findings.
- A screenshot service to capture the page being audited.
- A payment processor for paid audits.
- Email delivery for audit results and transactional messages.
- Analytics and session tooling (Google Analytics, Microsoft Clarity, Tawk.to) for product improvement and support.
Cookies & analytics
Tracking on this site
We use a consent banner and default Google Analytics consent flags to "denied" until you opt in. Analytics is configured with IP anonymization and without automatic page views before consent.
Retention & deletion
Removing your data
If you want your audit, email address, or any associated screenshots removed, email hello@vantacommerce.com from the address the audit was sent to and we will delete it.
You can also unsubscribe from any of our marketing emails using the link in the footer of those messages, or by visiting /unsubscribe.
Security contact
Reporting a vulnerability
If you believe you have found a security issue, please email hello@vantacommerce.com with reproduction steps. Please do not publicly disclose the issue until we have had a chance to investigate.
Compliance
What we do and don't claim
Vanta Commerce is not currently certified under SOC 2, ISO 27001, HIPAA, PCI-DSS, or GDPR adequacy frameworks, and nothing on this page should be read as such a certification. If your organization needs a specific compliance posture before purchasing, email us and we will tell you honestly where we stand.