Our Commitment to Security and Compliance

Vast.ai maintains rigorous security controls and compliance certifications to protect customer data. As a GPU compute marketplace serving AI startups, research universities, and Fortune 500 enterprises, we hold ourselves to the same standards our customers require.

To discuss your compliance requirements, contact our sales team.

Certifications & Standards

SOC 2 Type 3

Our SOC 2 Type 3 report is available immediately upon request. Contact sales to obtain a copy.

SOC 2 Type 2

Vast.ai has completed SOC 2 Type 2 certification. This audit, conducted by an independent third party, verified that our security, availability, and confidentiality controls meet AICPA Trust Services Criteria over a sustained observation period. The SOC 2 Type 2 report is available under a signed NDA — contact sales to request access.

HIPAA

Vast.ai supports HIPAA-covered workloads on our Secure Cloud tier. Technical safeguards — including data isolation, access controls, and audit logging — align with HIPAA requirements. Business Associate Agreements (BAAs) are available for qualifying customers.

GDPR

We comply with the General Data Protection Regulation for all European users. Our Data Processing Agreement details data handling, sub-processor disclosures, and data subject rights. EU-region compute is available on request.

US Data Privacy

Vast.ai complies with applicable US state privacy laws, including CCPA/CPRA. Our Privacy Policy outlines data collection, use, retention, and deletion practices.

Platform Security

Client Data Isolation

  • Every workload runs in an unprivileged Docker container, isolated from other tenants
  • Clients access only their own data — no shared filesystems between tenants
  • Data is destroyed immediately when a client deletes an instance

Network & Access Controls

  • All API and console traffic is encrypted in transit via TLS 1.2+
  • Role-based access controls govern internal systems
  • API key authentication for all programmatic access

Monitoring & Incident Response

  • Continuous monitoring for anomalous activity across the platform
  • Documented incident response procedures with defined escalation paths
  • Regular internal and third-party security audits

Employee Security

  • Background checks for all employees
  • Security and compliance training at onboarding and annually thereafter
  • Principle of least privilege applied to all internal access

Security Tiers

Vast.ai offers two security tiers to match your requirements:

Verified Hosts

Suitable for general-purpose AI and HPC workloads.

  • Manually tested for reliability and performance
  • Docker-level tenant isolation
  • Cost-effective option for non-regulated workloads

Secure Cloud (Trusted Datacenters)

For regulated industries and enterprise security requirements. Filter for these offers on cloud.vast.ai by selecting "Secure Cloud (Only Trusted Datacenters)."

Datacenter partner requirements:

  • Equipment housed in professionally managed data center facilities
  • Minimum 5 GPU servers with flagship-class hardware
  • Signed Data Processing Agreements with Vast.ai
  • Due diligence on facility security, ownership, and business identity

Certifications held by datacenter partners may include:

  • ISO 27001, ISO 20000-1, ISO 22301, ISO 14001
  • SOC 1 Type 2, SOC 2 Type 2, SOC 3
  • HIPAA, HITRUST, PCI DSS
  • NIST frameworks
  • GDPR compliance

Security certifications such as ISO 27001 or SOC 2 are encouraged and strengthen a partner's application, but are not strictly required for certification.

Physical & environmental security:

  • Restricted facility access with biometric or badge authentication
  • Video surveillance with 90+ day retention
  • Fire detection and suppression systems
  • Redundant power and climate control
  • Annual testing of all environmental control systems

Auditing & oversight:

  • Vast.ai audits datacenter partners on ownership structure, identity, and source of funds
  • Ongoing verification that partners maintain facility standards and follow best practices

Legal & Contractual Protections

Track Record

Vast.ai has maintained a clean security record since launch in 2018 with no major incidents.

Contact

For compliance documentation, audit reports, or to discuss your security requirements: