Security at Vadom

Vadom holds the maintenance record that a food or pharma site relies on during an audit. This page sets out, in plain terms, how that data is protected.

Hosting and data residency

• Vadom runs on Amazon Web Services (AWS) infrastructure in the EU (Ireland, Dublin region). Your data stays in the EU.
• AWS data centres are independently certified to ISO 27001, ISO 27017, ISO 27018 and SOC 1/2/3. Those certifications cover the underlying infrastructure Vadom is built on.
• The application is served over HTTPS only, with automatic redirection from insecure connections.

Encryption

• All traffic between your devices and Vadom is encrypted in transit using TLS (HTTPS), with certificates issued by Let's Encrypt.
• Passwords are never stored in plain text. They are stored as one-way bcrypt hashes, so they cannot be read or recovered, only verified.

Authentication and access control

• Every account signs in with an email and password. Sessions use a 256-bit random token that expires automatically after 30 days.
• Access is role-based. Each user is an Operator, Engineer, Supervisor or Admin, and the server enforces what each role is allowed to do on every request.
• Disabled accounts lose access immediately, and expired sessions are rejected automatically.

Audit trail and records

• Vadom keeps an append-only audit trail. Each significant action (raised, accepted, started, stopped, cleared, closed, edited) is recorded and never altered or deleted.
• Every entry is attributable to a named user and timestamped.
• Breakdowns are signed off with a captured e-signature and a mandatory clearance checklist before a line is released.
• A full record of each breakdown can be exported as a PDF for an auditor or quality file.

Backups and availability

• The database is backed up automatically every day, and backups are retained on a rolling 14-day basis.
• The service runs under a process manager that restarts the application automatically if it stops, and on server reboot.

Sub-processors

Vadom relies on a small number of vetted providers to deliver the service. The current list (AWS for hosting, Google Firebase for push notifications) is maintained in our Privacy Policy.

Reporting a security issue

If you believe you have found a security vulnerability in Vadom, please email security@vadom.ie. We will acknowledge your report and keep you updated on the fix. Please do not publicly disclose an issue before we have had a chance to address it.