Compliance
Trust Center
Vermont Solutions security, privacy, compliance and certifications hub. ISO 27001/9001/45001, DORA-ready, GDPR/CCPA aligned. For client evaluations.
Last updated:
Certifications
| Standard | Scope | Since | Certificate |
|---|---|---|---|
| ISO/IEC 27001:2022 | Information Security Management | 2021 | Download PDF ↓ |
| ISO 9001:2015 | Quality Management | — | Disponible bajo NDA |
| ISO/IEC 42001:2023 | AI Management System | In progress | Pending audit |
| ISO 45001:2018 | Occupational Health & Safety | — | Disponible bajo NDA |
| ISO 14001:2015 | Environmental Management | 2024 | ES57154B |
| Carbon Footprint (MITECO) | Spain's MITECO carbon footprint registry — CALCULATE seal, scopes 1+2 (2024) | 2024 | 2025-a1515 |
ISO 27001 certificate downloadable above. Other certificates available upon request under NDA. Email
Carbon footprint registered in Spain's public MITECO carbon footprint registry (code 2025-a1515).
Regulatory alignment
-
DORA Art. 28
EU 2022/2554 — ICT third-party providers (critical infrastructure)
-
NIS2
EU Directive 2022/2555 — Network and Information Security
-
AI Act
EU 2024/1689 — Aligned via ISO 42001 management system
-
GDPR
EU 2016/679 — Full compliance, DPO appointed
-
CCPA / CPRA
California — Privacy notice + Do Not Sell mechanism
-
UK GDPR / DPA 2018
Post-Brexit data protection — supplemental notice
-
PIPEDA
Canada — Federal privacy law alignment
DORA: operational resilience posture
EU Regulation 2022/2554 (DORA) — in force since 17 January 2025 — requires EU financial entities to manage the risk of their third-party ICT providers (Art. 28). As an engineering provider for tier-1 banking and insurance, Vermont Solutions operates as part of our clients' operational resilience chain, not as an outside vendor.
-
Contractual traceability (Art. 28/30)
Our contracts generally include the clauses DORA requires for third-party ICT agreements: service description, service levels, processing location, access/audit rights and exit strategies. Specific terms are tailored per engagement.
-
Certified information security
Vermont is ISO/IEC 27001 certified (information security, since 2021) — the technical and organisational control base DORA expects from a critical provider.
-
Incident management
ICT incident notification procedure aligned with DORA's taxonomy, with client notification within a maximum of 72 hours of detecting a relevant incident.
-
Transparent subcontracting
We keep our relevant ICT subcontracting chain identified and make it available to the client under NDA, in due diligence, so they can map their concentration risk.
-
Exit strategy and reversibility
We design integrations so the client can recover data and operations without irreversible lock-in — key in regulated banking.
DORA is not certifiable; this describes our posture and alignment. Supporting evidence (certificates, model clauses, incident procedure) available under NDA.
Responsible AI use at Vermont
We apply to our own operations the same AI governance we implement for clients. This statement covers how Vermont Solutions uses AI internally.
-
Human oversight
Every output from internally used AI systems is reviewed by people before it is used or published. No decision affecting a person's rights is taken solely by an AI system.
-
ISO 42001 governance
Internal AI use is framed within our AI management system (ISO/IEC 42001, certification in progress), with an inventory and risk assessment of the systems used.
-
Transparency (EU AI Act, Art. 50)
We identify AI-generated or AI-assisted content where applicable.
-
Data protection
We do not use personal or client data to train third-party models without express authorisation.
-
Tooling
We use AI assistants for software development and content drafting, always with human review before delivery or publication.
Privacy in our AI services
Vermont Solutions provides AI system governance services (aligned with ISO/IEC 42001 — in progress — and the EU AI Act). This is how we handle data when those services involve AI models.
-
Minimisation and purpose
We only process the data needed for the engagement, solely for the purpose agreed with the client (GDPR Art. 5).
-
We do not train models on client data
Client project data is not used to train or fine-tune AI models — neither our own nor third parties', including any external large language model (LLM) providers we may use.
-
Data processor role
When we process personal data on the client's behalf we act as processor (GDPR Art. 28), with a processing agreement and technical and organisational measures (base: certified ISO/IEC 27001).
-
Models and sub-processors
When we use third-party AI models or services that could process data, we manage them as sub-processors under Art. 28 guarantees. The list of sub-processors and their processing location is available to clients under NDA, in due diligence.
-
International transfers
If any sub-processor processes data outside the EEA, appropriate safeguards apply (standard contractual clauses).
-
Automated decisions
Vermont does not make automated decisions with legal effects on data subjects on the client's behalf without human oversight; where the client requires them, oversight and impact assessment are documented.
-
Rights and records
Data subjects exercise their rights before the controller (the client); Vermont assists as processor. We keep a record of processing activities (GDPR Art. 30), provided to regulated clients in due diligence.
See our full Privacy Policy.
Equality, diversity & inclusion
-
Equality Plan
Registered with the Madrid Regional Labour Authority (file 28/19/0571/2024) under LO 3/2007 + RD 901/2020
-
LGTBI Plan 2024–2026
Equal opportunity and non-discrimination plan for LGTBI people (Law 4/2023 + RD 1026/2024)
-
Diversity Plan
Corporate diversity and inclusion plan
-
Human Rights Policy
Corporate human rights policy
-
Disability Inclusion Programme
Workplace inclusion programme for people with disabilities
Legal documents
Data protection (RFP)
Data Processing Agreement (DPA) — model
GDPR Art. 28 template (PDF). Reviewed, completed and signed per engagement.
Download PDF →Due-diligence kit (ZIP)
ISO 27001 certificate + DPA + information security policy + integrated management system, in a single download.
Download ZIP →Subprocessors list
Public list of website subprocessors with locations and transfer safeguards.
View list →Compliance contacts
- Whistleblowing
- Submit a report →
ESG & Sustainability
ESG strategy aligned with CSRD (EU 2022/2464) for European banking RFPs. Detailed ESG dashboard coming Q3 2026 (see /sobre-nosotros/esg/ ).