How Vic.ai protects your data, your processes, and your organization.
Vic.ai is secure, compliant, and enterprise-ready
Every day, finance teams rely on Vic.ai to automate critical workflows and handle sensitive financial information. We take that responsibility seriously. Trust is foundational to our product, our engineering culture, and the safeguards we implement to protect customer data across systems, users, and integrations at scale within enterprise environments.
From proprietary AI models trained on over 1 billion invoices to our secure AWS-based infrastructure, every layer of Vic.ai is designed with security, privacy, and compliance in mind. We maintain SOC 1 Type II and SOC 2 Type II certifications, and follow strict encryption, role-based access, and data-governance controls that align with industry requirements.
Frequently Asked Questions (FAQs)
Our most frequently requested security and compliance details — the same information we provide in RFPs and vendor assessments.
What security and compliance certifications does Vic.ai maintain?
Vic.ai holds SOC 1 Type II and SOC 2 Type II certifications, renewed annually and audited by third-party assessors. These certifications validate our internal controls and security practices for protecting customer data. Vic.ai also follows an ISO 27001 framework.
Where is Vic.ai data hosted?
Vic.ai is hosted on Amazon Web Services (AWS), leveraging its secure, highly available, and globally recognized cloud infrastructure. Customer data is processed and stored within AWS regions aligned to the customer’s deployment requirements, ensuring strong physical and network security controls.
AWS provides built-in redundancy, encrypted storage services (including Amazon S3 and PostgreSQL-backed databases), and multiple Availability Zones for resilience and failover. Vic.ai’s use of AWS also enables continuous monitoring, automated scaling, and robust disaster-recovery capabilities as part of our SOC 2 Type II-validated controls.
How does Vic.ai encrypt and protect data in transit and at rest?
All data entering or leaving the Vic.ai platform is encrypted using HTTPS/TLS with the strongest available libraries, including SHA-256 and modern TLS standards.
Data at rest is encrypted using AES-256 and FIPS-validated encryption at the storage layer. Encryption keys are regularly rotated.
Does Vic.ai support Single Sign-On (SSO) and Multi-Factor Authentication (MFA)?
Yes. Vic.ai supports SSO via Auth0. MFA is supported when enabled through the customer’s identity provider.
How does Vic.ai prevent unauthorized access to customer data?
Vic.ai follows least-privileged access, role-based permissions, short-lived access tokens, encrypted VPN for elevated access, and continuous audit logging through AWS CloudTrail. Internal access is strictly limited and monitored.
How does Vic.ai safeguard data during extraction, ingestion, and processing?
All data ingestion methods (email, SFTP, API, mobile upload) require encrypted transport. Invoice images, metadata, and model outputs remain encrypted throughout extraction and processing. No unencrypted protocols (e.g., HTTP) are permitted.
Does Vic.ai run penetration tests?
Yes. Vic.ai engages an independent third-party security firm to perform annual penetration tests on the platform. Findings are reviewed by our engineering and security teams, and any identified issues are remediated according to severity. Penetration testing is also a control area validated through our SOC 2 Type II audits.
What is Vic.ai’s approach to data retention and deletion?
Data is retained for the duration of the customer agreement and only as needed for operational, legal, and audit purposes. Customers may request data deletion or export at any time; requests are processed promptly by the Vic.ai support team.
Does Vic.ai use customer data for AI training?
Vic.ai utilizes two distinct types of models to make predictions on an invoice, each with a different training methodology.
Global AI models: This model is used to make predictions on invoice header-level fields (fields that are not unique to you), such as invoice number, invoice date, due date, total amount, and currency. For this model, we train the model using derived data, so all customers benefit from more accurate predictions. The derived data is always a derivative of the data at scale, and does not contain identifiable data. An example of this is the specific coordinates and/or location of an invoice number on an invoice.
Local AI models: This model is used to make predictions on invoice line-level coding (fields that are unique to you), such as GL account coding, location, and department. This model is trained using customer materials, and learning is not shared across clients.
What is your disaster recovery (DR) and business continuity strategy?
Vic.ai leverages AWS Availability Zones for redundancy and maintains an audited Disaster Recovery plan as part of SOC 2 compliance. Data stored in S3 is automatically replicated across multiple regions. Vic.ai has historically achieved 99.9%+ uptime. Testing and validation occur regularly at a minimum of once a year, with remediation steps tracked and documented.
What are Vic.ai’s incident response procedures?
All incidents are logged centrally and addressed according to priority-level SLAs:
Critical: 4 hours High Priority: 48 hours Medium: Next release Low: Next planned cycle
Vic.ai uses AWS GuardDuty for threat detection and AWS Security Hub for continuous security posture management.
How can customers access SOC 2 reports or other private documents?
SOC 1/SOC 2 reports are available under NDA and can be requested through your Vic.ai representative or the document form below. Other documents (e.g., security policies, data protection policies) are available below.
Are you PCI compliant?
Vic.ai does not process payment card information directly and is therefore not in scope for PCI DSS compliance. If PCI-adjacent processes are introduced, applicable controls will be implemented accordingly.
How does Vic.ai handle ongoing support, system maintenance, and platform updates?
Vic.ai provides ongoing support, maintenance, and monitoring to ensure secure and reliable platform performance. Updates, enhancements, and security patches are deployed regularly through our cloud-based architecture.
Technical support is available for issue resolution and troubleshooting, and all incidents follow defined SLAs — with critical issues addressed immediately and lower-severity items handled in scheduled releases. Continuous monitoring, automated scaling, and disaster-recovery readiness are maintained as part of our SOC 2 Type II controls.
How does Vic.ai ensure secure software development practices (SDLC)?
Vic.ai follows a secure software development lifecycle (SDLC) that incorporates security at every stage of product design, development, testing, and deployment. All code changes undergo peer review, automated testing, and static analysis prior to release. Development and production environments are separated, and access is restricted based on least-privileged principles.
The CFO’s Guide to AI Security and Trust
Our new security guide outlines the controls, certifications, and governance principles every finance team should require from AI vendors.
.svg)
