Skip to main content
Vermont Solutions

Compliance

Trust Center

Vermont Solutions security, privacy, compliance and certifications hub. ISO 27001/9001/45001, DORA-ready, GDPR/CCPA aligned. For client evaluations.

Last updated:

Certifications

Standard Scope Since Certificate
ISO/IEC 27001:2022 Information Security Management 2021 Download PDF ↓
ISO 9001:2015 Quality Management Disponible bajo NDA
ISO/IEC 42001:2023 AI Management System In progress Pending audit
ISO 45001:2018 Occupational Health & Safety Disponible bajo NDA
ISO 14001:2015 Environmental Management 2024 ES57154B
Carbon Footprint (MITECO) Spain's MITECO carbon footprint registry — CALCULATE seal, scopes 1+2 (2024) 2024 2025-a1515

ISO 27001 certificate downloadable above. Other certificates available upon request under NDA. Email

Carbon footprint registered in Spain's public MITECO carbon footprint registry (code 2025-a1515).

Regulatory alignment

  • DORA Art. 28

    EU 2022/2554 — ICT third-party providers (critical infrastructure)

  • NIS2

    EU Directive 2022/2555 — Network and Information Security

  • AI Act

    EU 2024/1689 — Aligned via ISO 42001 management system

  • GDPR

    EU 2016/679 — Full compliance, DPO appointed

  • CCPA / CPRA

    California — Privacy notice + Do Not Sell mechanism

  • UK GDPR / DPA 2018

    Post-Brexit data protection — supplemental notice

  • PIPEDA

    Canada — Federal privacy law alignment

DORA: operational resilience posture

EU Regulation 2022/2554 (DORA) — in force since 17 January 2025 — requires EU financial entities to manage the risk of their third-party ICT providers (Art. 28). As an engineering provider for tier-1 banking and insurance, Vermont Solutions operates as part of our clients' operational resilience chain, not as an outside vendor.

  • Contractual traceability (Art. 28/30)

    Our contracts generally include the clauses DORA requires for third-party ICT agreements: service description, service levels, processing location, access/audit rights and exit strategies. Specific terms are tailored per engagement.

  • Certified information security

    Vermont is ISO/IEC 27001 certified (information security, since 2021) — the technical and organisational control base DORA expects from a critical provider.

  • Incident management

    ICT incident notification procedure aligned with DORA's taxonomy, with client notification within a maximum of 72 hours of detecting a relevant incident.

  • Transparent subcontracting

    We keep our relevant ICT subcontracting chain identified and make it available to the client under NDA, in due diligence, so they can map their concentration risk.

  • Exit strategy and reversibility

    We design integrations so the client can recover data and operations without irreversible lock-in — key in regulated banking.

DORA is not certifiable; this describes our posture and alignment. Supporting evidence (certificates, model clauses, incident procedure) available under NDA.

Responsible AI use at Vermont

We apply to our own operations the same AI governance we implement for clients. This statement covers how Vermont Solutions uses AI internally.

  • Human oversight

    Every output from internally used AI systems is reviewed by people before it is used or published. No decision affecting a person's rights is taken solely by an AI system.

  • ISO 42001 governance

    Internal AI use is framed within our AI management system (ISO/IEC 42001, certification in progress), with an inventory and risk assessment of the systems used.

  • Transparency (EU AI Act, Art. 50)

    We identify AI-generated or AI-assisted content where applicable.

  • Data protection

    We do not use personal or client data to train third-party models without express authorisation.

  • Tooling

    We use AI assistants for software development and content drafting, always with human review before delivery or publication.

Privacy in our AI services

Vermont Solutions provides AI system governance services (aligned with ISO/IEC 42001 — in progress — and the EU AI Act). This is how we handle data when those services involve AI models.

  • Minimisation and purpose

    We only process the data needed for the engagement, solely for the purpose agreed with the client (GDPR Art. 5).

  • We do not train models on client data

    Client project data is not used to train or fine-tune AI models — neither our own nor third parties', including any external large language model (LLM) providers we may use.

  • Data processor role

    When we process personal data on the client's behalf we act as processor (GDPR Art. 28), with a processing agreement and technical and organisational measures (base: certified ISO/IEC 27001).

  • Models and sub-processors

    When we use third-party AI models or services that could process data, we manage them as sub-processors under Art. 28 guarantees. The list of sub-processors and their processing location is available to clients under NDA, in due diligence.

  • International transfers

    If any sub-processor processes data outside the EEA, appropriate safeguards apply (standard contractual clauses).

  • Automated decisions

    Vermont does not make automated decisions with legal effects on data subjects on the client's behalf without human oversight; where the client requires them, oversight and impact assessment are documented.

  • Rights and records

    Data subjects exercise their rights before the controller (the client); Vermont assists as processor. We keep a record of processing activities (GDPR Art. 30), provided to regulated clients in due diligence.

See our full Privacy Policy.

Equality, diversity & inclusion

  • Equality Plan

    Registered with the Madrid Regional Labour Authority (file 28/19/0571/2024) under LO 3/2007 + RD 901/2020

  • LGTBI Plan 2024–2026

    Equal opportunity and non-discrimination plan for LGTBI people (Law 4/2023 + RD 1026/2024)

  • Diversity Plan

    Corporate diversity and inclusion plan

  • Human Rights Policy

    Corporate human rights policy

  • Disability Inclusion Programme

    Workplace inclusion programme for people with disabilities

Full documents available on request / under NDA. Email

Legal documents

Data protection (RFP)

Compliance contacts

DPO
CISO / Security
Compliance
Whistleblowing
Submit a report →

ESG & Sustainability

ESG strategy aligned with CSRD (EU 2022/2464) for European banking RFPs. Detailed ESG dashboard coming Q3 2026 (see /sobre-nosotros/esg/ ).