Vectiro
Talk to us
Trust & Governance

Built for trust. Operated for transparency.

Vectiro ships with role-based access control, an append-only audit log, configurable alerts, and twelve production-ready reports. Everything your security, operations, and compliance teams need to govern, monitor, and prove what your backups are doing — on day one.

Request a Demo Or write to trust@vectiro.com
The architecture

Six guarantees, no asterisks.

The foundation under everything below — immutability, identity, audit, access, encryption, isolation. Every line is a property of the product, not a setting you remember to toggle.

  1. 01

    Immutability is a write-time guarantee.

    Every snapshot is written through an object-lock policy at the moment of creation. Vectiro itself cannot delete a snapshot before its retention window expires. Nor can a compromised credential in your own cloud account.

  2. 02

    IAM is your perimeter, not ours.

    Every protected workload sits in your cloud account, governed by your IAM. Vectiro orchestrates; AWS, Azure, and Google Cloud execute. We never hold a long-lived credential to your data plane.

  3. 03

    Audit log is append-only and SIEM-exportable.

    Every operator action, every API call, every policy change is written to an append-only log. The log is exportable to your SIEM through a standard JSON Lines stream — no Vectiro-specific connector required.

  4. 04

    Role-based access control with bring-your-own IdP.

    Single sign-on through SAML or OIDC. SCIM provisioning for Okta, Entra, Google, and any generic identity provider. Role bundles by job; custom roles for everything else.

  5. 05

    Customer-controlled KMS for every write.

    Vectiro never holds plaintext data. Every write is encrypted with a key in your KMS. You rotate the key. You revoke the key. We have no path around it.

  6. 06

    Logically air-gapped recovery vaults.

    Recovery copies live in a separate account boundary with their own IAM and their own KMS. A compromise of your production account cannot reach the vault. A compromise of the vault cannot reach production.

RBAC

One control plane. Every account. Every action.

Vectiro's role-based access control spans every cloud account you connect, every workload it discovers, and every operator who touches it. Bring your identity provider — we integrate, we don't replace.

Roles

Bundled by job — administrator, operator, auditor, billing — with custom roles for organisations that need finer control. Every role is scoped to a cloud account, a tag, or both. A role that can see Account A cannot see Account B unless you explicitly grant it.

Bring your own IdP

SAML 2.0 or OIDC for sign-on. SCIM 2.0 for provisioning. Tested against Okta, Microsoft Entra, Google Workspace, and JumpCloud; works with any compliant provider. Vectiro integrates with your identity provider — we don't replace it.

Resource-level scoping

Restrict an auditor to read-only access on a single tag. Give a regional operator restore rights inside one region, view-only outside it. Roles compose with cloud account boundaries, so the same role behaves differently against different accounts when that's what you want.

Audit Logs

Every action. Every actor. Every account.

The audit log is the source of truth for what happened, who did it, and when. It is append-only by design — not even a Vectiro operator can edit or delete an entry.

What gets logged

Operator sign-ins. Role assignments. Policy creation, edits, and removal. Backup job starts, completions, and failures. Restore requests and their outcomes. Discovery scans. API calls from your automation. Configuration changes on integrations, alerts, and notification channels. Every entry carries the actor identity, the affected resource, the source IP, and a monotonic timestamp.

Append-only by design

The log is written to storage that does not accept rewrites. Once an entry is appended, it stays. Retention windows are configurable per tier; entries are deleted only at the end of their retention, never during.

SIEM-exportable

Stream every entry to your SIEM as JSON Lines through a standard webhook, or pull from the REST endpoint with cursor-based paging. Tested against Splunk, Datadog, Sumo Logic, and Elastic; works with any consumer that accepts JSON over HTTPS.

Alerts

Notify the right team the moment something matters.

Alerts are first-class — not a checkbox in a notification preferences menu. You configure what triggers an alert, who receives it, and how aggressively it escalates.

What you can alert on

Backup failures and chained retries. Policy drift — a resource that should be covered but no longer is. Anomalous backup-size deltas. Pattern matches consistent with ransomware. Retention violations. Failed restore tests. Cross-account vault tamper attempts. Configuration changes to high-sensitivity policies. New cloud accounts discovered outside an expected boundary.

Channels and routing

Email distribution lists, Slack and Microsoft Teams channels, PagerDuty and Opsgenie incidents, generic webhook to your on-call system, or write-through to your SIEM. Different rules can route to different channels — your finance team does not need to see backup-job retries, and your on-call rotation does not need monthly cost reports.

Throttling and grouping

Suppress duplicate alerts within a window. Group related events from the same resource into a single notification. Define quiet hours per rule. Alerts that resolve themselves close automatically; alerts that escalate page the next tier in the rotation.

Reports

Twelve reports, ready out of the box.

Real-time views for the operations team, periodic snapshots for finance, security, and compliance. Every report exports to CSV, XLSX, or PDF and can be scheduled for recurring delivery.

Real-time

Live views that refresh on a one-minute cadence.

  • Backup Summary Live snapshot of backup posture across every protected resource.
  • Audit Trail Real-time stream of operator actions, API calls, and policy changes.
  • Jobs & Execution Active and recent backup, restore, and discovery jobs with current status.

Periodic

Snapshot reports generated on a configurable schedule.

  • Account-level Report Per-account inventory, protection coverage, and policy assignment.
  • Backup Content What sits inside each backup — databases, tables, file paths.
  • Compliance & SLA Policy adherence, retention compliance, and SLA attainment.
  • Policy Effectiveness Policy hit rates, exception counts, and configuration drift.
  • Billing & Cost Storage cost by tier, account, and resource type.
  • Storage Capacity Usage analytics, growth trends, and capacity forecasts.
  • Disaster Recovery DR readiness, test history, and RTO / RPO attainment.
  • Restore/Recovery Recovery operations, success rates, and average recovery time.
  • SLA Tracking SLA compliance by workload and tier, with breach history.

Need a different cut of the data, a custom delivery schedule, or a report formatted for a specific compliance review? Write to trust@vectiro.com and our support team will get back to your needs.

Compliance Standards

Documentation, on request.

Whatever your procurement, security review, or audit requires — write to us, and we'll route you to the right artifact. Letters, attestations, BAAs, DPAs, statements of applicability — handled case by case.

Standard Status
SOC 2 Type II Available on request
ISO 27001 Available on request
HIPAA Available on request
GDPR DPA Available on request
PCI-DSS Available on request

Write to trust@vectiro.com with the standard you need documentation against. Our team will respond with the appropriate artifact, the contract path, and a timeline.

Trust questions get answered before sales questions. Send your security questionnaire, your audit checklist, or your specific governance scenario — we'll route it to the engineer who owns that surface and respond in business hours.

Request a Demo Or write to trust@vectiro.com directly.