
Last updated: 7 July 2026
Security is not a slogan for us — it is engineered, tested and documented. This page states the actual controls protecting our systems and the data you entrust to us, aligned with the EU’s General Data Protection Regulation (GDPR), Singapore’s PDPA and the ISO/IEC 27001 control framework. We name what we do, and we are equally clear about what we do not yet claim.
We collect only what a task requires. Identity and business verification (KYC/KYB) runs entirely inside our regulated verification partner’s hosted flow — raw passports, selfies and identity documents never touch our servers. We retain only the verification result and the extracted contact fields necessary for the engagement.
Every state change is recorded in a cryptographically hash-chained audit log. Any attempt to alter history breaks the chain and is detectable — providing an integrity guarantee, not merely a log file.
An intrusion-detection system watches our services continuously and blocks attacking sources automatically at the firewall, across all systems at once. Availability and certificate health are monitored around the clock, with alerting to our team. Our infrastructure is hardened: a strict firewall, key-only administrative access, automatic security patching and network isolation of all internal services.
Databases and document storage are backed up nightly, encrypted, and — critically — restore-tested: a backup that has never been restored is a hope, not a backup. Recovery keys are held securely off-site.
We support access, correction and erasure of personal data. Where data must be erased, we do so while preserving the integrity of our tamper-evident records (pseudonymisation rather than silent deletion). Personal data is retained only as long as necessary and then securely removed. Full detail is in our Privacy Policy.
Where we rely on external processors (identity verification, transactional email, optional AI risk scoring), they are bound by contract; sensitive AI risk scoring can be run on our own infrastructure so that no data leaves our environment.
Transparency is part of the standard. Today we operate to the controls above and align them with ISO 27001 categories, but we have not completed a formal ISO 27001 or SOC 2 certification audit — this page is a verifiable self-assessment, not a certificate. Post-quantum transport encryption is prepared but not yet live at the network edge, and off-site backup replication is being finalised. We will update this page as each of these advances.
If you believe you have found a security issue, please contact us in confidence at admin@vesseloffshoremanagement.com. We take every report seriously and will respond promptly.