Is Vanta safe with your data?

Vanta

Vanta Inc.

58/100

Partial disclosure · high confidence

Vanta earns a C (58/100) because it discloses its data practices only in part.

#78

of 116 apps ranked

score · Security & compliance avg —

—

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

Vanta's controller-level website privacy policy earns a mid-C. It has a complete data-subject rights menu, a named subprocessor disclosure, and named international transfer safeguards. It says nothing about AI training and gives only vague retention language, so it lands well below the B band. Every quoted mechanism appears verbatim in the snapshot, no certifications were invented, and the empty dealbreaker list is correct because the one adverse practice (selling and sharing for ads) carries a working opt-out.

What Vanta's privacy policy says about your data

Full rights menu

The policy grants access, deletion, portability ("in a portable and structured format"), correction, objection, and the right to appeal a refusal, all exercisable via privacy@vanta.com.

Named transfer safeguards

International transfers rely on "the EU standard contractual clauses" and self-certification under the EU-U.S., Swiss-U.S., and UK Extension Data Privacy Framework, with the Irish Data Protection Commissioner named as lead supervisory authority.

Sells and shares for ads, with an opt-out

Vanta states it "has sold or shared information (such as identifiers and internet activity information via Cookies) to ad networks," and it provides a Cookie-settings and Global Privacy Control opt-out. That makes it an adverse practice with an opt-out, which counts as a half, not a dealbreaker.

Vague retention and no breach clause

Retention is only "for as long as necessary for the purposes described," with no deletion timeline and no breach-notification commitment, and security rests on "industry-standard technical and organizational measures."

What the policy is silent or vague on

Not stated: keeping user inputs out of model training
Not stated: a way to opt out of training
Not stated: whether training use differs by plan
Not stated: your ownership of generated outputs

Vanta privacy rating

Training-data use0 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inSilent

Names a way to opt out of or into trainingSilent

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsSilent

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion0 of 4 disclosed

States a retention period for your dataPartial

States a deletion timeline after closure or requestSilent

Sets a shorter retention for AI conversation logsSilent

Commits to collecting only the data it needsPartial

Third-party sharing4 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementDisclosed

Does not sell or share data for advertising, or offers opt-outPartial

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessDisclosed

Transparency3 of 4 disclosed

Discloses that you are interacting with AISilent

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticeDisclosed

Sensitive data and children1 of 2 disclosed

Discloses automated decisions and a human-review pathNot applicable

Limits the use of special-category dataPartial

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability1 of 3 disclosed

Describes its security safeguardsPartial

Commits to breach notificationSilent

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: Security & compliance
Modalities: text
Processes biometrics: No
Policy last updated: 2026-02-25
Region scored: Global / US-default
Assessed: 2026-06-20

Read Vanta's privacy policy

Other security & compliance apps

DrataC

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.