Skip to content
← BackTrust & Data Governance

Built for environments where data sovereignty is not negotiable.

VARDE Intelligence AS operates with the assurance posture expected of a vendor delivering to defence, government and critical-infrastructure operators. This page summarises how we host, protect and govern customer data. Detailed assurance documentation, including DPAs, subprocessor lists, and security questionnaires, is available on request under NDA.

Deployment Models

V4RDE is offered in three deployment models. The choice is the customer's, driven by their operational, regulatory and sovereignty requirements.

  • Managed SaaS (default)Hosted by VARDE Intelligence AS in EU/EEA jurisdictions today. Suitable for commercial maritime operators and customers without specific residency mandates.
  • Dedicated SaaSSingle-tenant deployment in the customer's preferred jurisdiction. Used where data isolation, dedicated key management or specific national hosting is required.
  • On-premise / SovereignDeployment inside the customer's own infrastructure or a customer-controlled sovereign cloud. Used by defence, government and critical-infrastructure customers operating under classified or restricted regimes.

Data Residency

All operational data processed by VARDE today is hosted within the European Union. Default infrastructure is provided by Hetzner Online GmbH in Finland and Germany. For Dedicated SaaS and On-premise deployments, data residency follows the customer's requirements and is documented contractually.

No fused product, evidence bundle, source record or derived data set leaves the EU as part of normal operation. Collection, normalisation, fusion, storage and dissemination infrastructure all reside in EU jurisdictions.

The sole permitted egress is when an analyst, on a per-task basis, elects to apply a third-party large-language-model provider hosted outside the EU for non-evidentiary auxiliary processing (for example, narrative drafting from already-graded findings). This election is explicit, logged, and excluded from evidence-bundle content. AI providers without verifiable EU data residency or with unclear data-handling practices are excluded from the platform by policy.

Security Posture

  • Encryption in transit: TLS 1.2+ for all external traffic; TLS termination at perimeter.
  • Encryption at rest: Full-disk encryption on all hosts; per-tenant key separation available for Dedicated and On-premise deployments.
  • Access control: Principle of least privilege. Administrative access requires hardware key (FIDO2) and is restricted to named personnel with documented operational need.
  • Audit & logging: Immutable audit trail for analytical actions; access logs retained per applicable retention policy.
  • Hardening: SSH password authentication disabled; key-based access only; host-based firewall and intrusion-prevention; automated security patching for non-breaking updates.
  • Network isolation: Reverse-proxy perimeter; no direct service exposure; segmented internal networks.
  • Supply chain: Minimal dependency footprint, version-pinned builds, container image scanning.

Evidentiary Standard

Analytical products carry TLP classification, structured case numbering, SHA-256 chain of custody and an immutable audit trail. The standard is applied by default, so the evidentiary integrity of an output is preserved whether or not the consequences are anticipated at the time of production.

Privacy & Regulatory Compliance

  • GDPR: VARDE acts as data controller for v4rde.io and as data processor for customer deployments. Standard Data Processing Agreement (DPA) available on request.
  • International transfers: Where any subprocessor is located outside the EEA, transfers are governed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, the EU-U.S. Data Privacy Framework.
  • Sanctions & export control: We comply with applicable EU and Norwegian sanctions regimes and export-control rules. Engagements with customers in restricted jurisdictions are reviewed prior to onboarding.
  • Public sources: Open-source intelligence and AIS-derived data are processed in accordance with the terms of the relevant data sources and applicable law.

Subprocessors (v4rde.io public site)

The following subprocessors support the public website and contact form. Operational customer deployments use a separate, customer-specific subprocessor list provided as part of the DPA.

Provider
Purpose
Region
Hetzner Online GmbH
Hosting, compute, storage
EU (DE / FI)
Cloudflare, Inc.
CDN, DDoS protection, TLS
Global / US (SCC + EU-US DPF)
Resend, Inc.
Transactional email delivery
EU (eu-west-1, Ireland) / US (SCC + EU-US DPF)

Incident Response & Responsible Disclosure

Suspected security issues, vulnerabilities or data incidents may be reported to [email protected]. We aim to acknowledge reports within one business day. Customer notification of confirmed incidents follows contractual SLAs and, where applicable, GDPR Article 33 timelines.

We support coordinated disclosure and ask researchers to refrain from public disclosure until a remediation window has been agreed.

Assurance Documentation

The following documentation is available on request, typically under mutual NDA:

  • Data Processing Agreement (DPA) and SCC annexes
  • Subprocessor list for the relevant deployment model
  • Security overview and architecture summary
  • Vendor security questionnaire (CAIQ-Lite or equivalent)
  • Business continuity and incident-response summary
  • Insurance certificates

Formal certifications (ISO 27001, SOC 2) are on the company roadmap; the security controls underpinning those frameworks are already operated as standard practice.

Contact

Security, privacy and assurance enquiries: [email protected].

VARDE INTELLIGENCE AS · Org. no. 837 434 262 · Norway

Last updated: 1 May 2026