VOM
VOM
  • Home
  • About
  • Sea
  • Land
  • Air
  • Capabilities
  • Engage
Oil Rig Transit EscortStrait of Hormuz · CompletedPort Facility ProtectionSingapore · ActiveAll Operations
  • Home
  • About
  • Sea
  • Land
  • Air
  • Capabilities
  • Engage
Public Operations
Oil Rig Transit EscortStrait of Hormuz · CompletedPort Facility ProtectionSingapore · ActiveAll Operations
Trust

Security & Data Protection

Last updated: 7 July 2026

Security is not a slogan for us — it is engineered, tested and documented. This page states the actual controls protecting our systems and the data you entrust to us, aligned with the EU’s General Data Protection Regulation (GDPR), Singapore’s PDPA and the ISO/IEC 27001 control framework. We name what we do, and we are equally clear about what we do not yet claim.

1. Data minimisation by design

We collect only what a task requires. Identity and business verification (KYC/KYB) runs entirely inside our regulated verification partner’s hosted flow — raw passports, selfies and identity documents never touch our servers. We retain only the verification result and the extracted contact fields necessary for the engagement.

2. Encryption

  • In transit: all traffic is served over TLS with HSTS enforced.
  • At rest: secrets, two-factor seeds and sensitive documents are protected with AES-256-GCM authenticated encryption, using separated, rotatable keys.
  • Backups: every backup is AES-256-GCM encrypted and integrity-verified. Encryption keys are escrowed off-server.
  • Quantum-aware: our at-rest and backup encryption already resists foreseeable quantum attacks; post-quantum transport encryption is on our roadmap.

3. Access control & authentication

  • Mandatory multi-factor authentication (authenticator apps and hardware passkeys / biometrics) on every account that can reach sensitive systems.
  • Strong password hashing, account lockout on repeated failed attempts, and least-privilege database roles — the running application can never alter its own schema.
  • Role-based, per-engagement access: personnel see only the operation they are assigned to.

4. Tamper-evident audit trail

Every state change is recorded in a cryptographically hash-chained audit log. Any attempt to alter history breaks the chain and is detectable — providing an integrity guarantee, not merely a log file.

5. Threat detection & response

An intrusion-detection system watches our services continuously and blocks attacking sources automatically at the firewall, across all systems at once. Availability and certificate health are monitored around the clock, with alerting to our team. Our infrastructure is hardened: a strict firewall, key-only administrative access, automatic security patching and network isolation of all internal services.

6. Resilience & recovery

Databases and document storage are backed up nightly, encrypted, and — critically — restore-tested: a backup that has never been restored is a hope, not a backup. Recovery keys are held securely off-site.

7. Your rights & data protection

We support access, correction and erasure of personal data. Where data must be erased, we do so while preserving the integrity of our tamper-evident records (pseudonymisation rather than silent deletion). Personal data is retained only as long as necessary and then securely removed. Full detail is in our Privacy Policy.

Where we rely on external processors (identity verification, transactional email, optional AI risk scoring), they are bound by contract; sensitive AI risk scoring can be run on our own infrastructure so that no data leaves our environment.

8. What we do not claim

Transparency is part of the standard. Today we operate to the controls above and align them with ISO 27001 categories, but we have not completed a formal ISO 27001 or SOC 2 certification audit — this page is a verifiable self-assessment, not a certificate. Post-quantum transport encryption is prepared but not yet live at the network edge, and off-site backup replication is being finalised. We will update this page as each of these advances.

9. Reporting a concern

If you believe you have found a security issue, please contact us in confidence at admin@vesseloffshoremanagement.com. We take every report seriously and will respond promptly.

Back to home
MSS Global accredited — ISO 28000:2007 Supply Chain Security Management and ISO 28007:2015 (Maritime Armed), UKAS Management Systems 7818
ReferencesEngageSecurityPrivacy PolicyDashboard

© 2026 VOM