Vitality Index

    Security Overview

    Effective Date: January 26, 2026

    Executive Summary

    Vitality Index is operated with a mature security program. We apply industry-standard controls to protect Customer Data and support procurement and DPO review with attestations (SOC 2, ISO) under NDA.

    Key Controls

    Governance

    Security led by Head of Security / CTO; documented security policies and IR plan.

    Encryption

    TLS for data in transit; encryption at rest (AES-256 or equivalent).

    Authentication

    SSO support; RBAC; MFA for privileged users.

    Secrets Management

    Use of cloud KMS/Secret Manager; no hard-coded secrets.

    Logging & Monitoring

    Centralized logging and SIEM with alerting and redaction of sensitive fields.

    Backups & Recovery

    Regular backups; quarterly restore testing; backup retention ~90 days.

    Vulnerability Management

    Regular automated scans and scheduled patching.

    Pen-Testing & Audits

    Annual third-party pen tests and SOC 2 Type II audit; remediation tracking.

    Incident Response

    Documented IR plan; 72-hour initial notification target post confirmation.

    Data Protection

    Logical separation of Customer Data, data minimization, and deletion workflows per DPA.

    Supply Chain

    Subprocessors are contracted with data protection obligations and published at /legal/subprocessors.

    Attestations

    SOC 2 Type II and other reports are available under NDA. Contact legal@matchverticals.com to request access.

    Requesting Confidential Security Evidence (NDA Required)

    Full SOC 2 Type II reports, penetration test reports and other security evidence are confidential. For legal, contractual and commercial reasons we provide these documents only after execution of a mutual Non-Disclosure Agreement (NDA) or equivalent confidentiality arrangement.

    What We Make Available Under NDA

    • Full SOC 2 Type II report (most recent engagement)
    • Full third-party penetration test reports and remediation summaries
    • Detailed architecture diagrams and security control evidence (on a need-to-know basis)
    • Procurement pack including DPA template, prefilled SCC Annexes, and Security Overview (full pack delivered under NDA)

    How to Request

    To request confidential security evidence, please email legal@matchverticals.com with the following information:

    • Subject: Request: SOC2 / PenTest NDA — [Company Name]
    • Body: Company legal name, requestor name and title, business email and phone, brief reason for request (procurement / security review / legal), and the list of documents you need.
    • Proof of identity / affiliation: Corporate email is preferred.
    • Preferred signing method: indicate whether you prefer a returnable NDA (PDF) or DocuSign signing link.

    What Happens Next

    1. We will acknowledge receipt within 1 business day.
    2. We will send our standard mutual NDA via DocuSign (recommended) or attach our PDF NDA for countersignature.
    3. After executed NDA is returned, we will provide a secure download link to the requested documents. Access links are time-limited and tracked.

    Typical turnaround from NDA execution to document delivery: 1–2 business days.

    DPIA Support

    Match Vertical Partners will assist Customers conducting Data Protection Impact Assessments (DPIAs). On request we will provide: processing descriptions, technical and organizational measure summaries, subprocessors list, transfer mechanisms (SCCs), and security attestations (SOC 2) under NDA. Controller remains responsible for DPIA conclusions and mitigation decisions.

    Contact

    For procurement, evidence, or security questions:
    security@matchverticals.com or contact@matchverticals.com