{"section":"tutorials","requestedLocale":"en","requestedSlug":"vtex-information-security-and-privacy-certificates","locale":"en","slug":"vtex-information-security-and-privacy-certificates","path":"docs/en/tutorials/security/information-security-compliance/vtex-information-security-and-privacy-certificates.md","branch":"main","content":"VTEX follows the highest international standards for information security and data privacy. To reinforce this commitment, we maintain globally recognized certifications that confirm our processes comply with international standards and requirements. This article outlines the certifications held by VTEX and how to access them.\n\n## ISO 27001\n\nISO 27001 is an international standard that defines the requirements for an Information Security Management System (ISMS).\n\nVTEX certification was issued in Brazil, but covers global data and transactions, as all platform data is processed in Brazil. The certificate is for the VTEX platform and is valid globally.\n\nThe certificate is available at the [VTEX Trust Center](https://compliance.vtex.com/).\n\n## PCI-DSS\n\nPCI-DSS (Payment Card Industry Data Security Standard) is a required certification for companies that process, store, or transmit credit and debit card data.\n\nVTEX complies with the latest version of the certification, PCI-DSS v4.0. This certification is valid for 12 months from the audit date and is renewed annually.\n\nThe certificate is available at the [VTEX Trust Center](https://compliance.vtex.com/).  \n\n> ℹ️ The PCI-DSS certificate indicates the issue date as the Assessment End Date. The Publication Date field refers to the date the PCI standard was officially published, not to the certificate's validity.\n\n## SOC 1 Type 2 and SOC 2 Type 2\n\nSOC (System and Organization Controls) reports evaluate internal controls related to security, availability, processing integrity, and confidentiality.\n\nVTEX holds SOC 1 Type 2 and SOC 2 Type 2 reports, which attest to the effectiveness of these controls over a 12-month period from the audit date.\n\nThe report evaluates the controls applied during the previous year. For example, if the report covers the period from January 1, 2024, to December 31, 2024, it will remain valid throughout 2025.\n\nCertificates are usually issued at the end of the first quarter or the beginning of the second quarter following the year under review. If there's a gap between the validity of the last available SOC report and the next audit, VTEX can issue a Bridge Letter (or Gap Letter) to cover the period.\n\nYou can request access to the SOC certificates via the [VTEX Trust Center](https://compliance.vtex.com/).\n\n## Data Privacy Framework (DPF)\n\nThe Data Privacy Framework is an EU-approved program that facilitates the secure international transfer of personal data.  \n\nVTEX is certified under the three primary DPF frameworks, which regulate data transfers from the European Union, the United Kingdom, and Switzerland to the United States.  \n\nThe VTEX certification can be accessed directly on the program's [official website](https://www.dataprivacyframework.gov/list). To check if the certification is active for each framework, search for **VTEX** in the website search bar  and look at the **Status** column. It will display **Active** for the frameworks where the certification is valid."}