Skip to content

Vanta Partnership -- Integration Plan

Overview

Vanta is a leading compliance automation platform with 400+ integrations and thousands of customers achieving SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR compliance. CloudTaser's built-in Vanta integration (operator sync controller) already pushes protection state and compliance test results to Vanta. This document outlines the plan for deepening the partnership to include a marketplace listing, co-marketing, and SOC 2 Type II partner access.

Current Integration

CloudTaser already integrates with Vanta via the operator's built-in sync controller. See GRC Platform Integration for the full technical documentation.

What CloudTaser pushes to Vanta today

Data Type Details
Resources Kubernetes Deployments with protection status (ACTIVE/INACTIVE)
Test: Secrets not in etcd Counts orphaned K8s Secrets. PASS when zero orphaned secrets
Test: Workload coverage Percentage of workloads protected by CloudTaser. PASS when 80%+ coverage
Test: eBPF enforcement Checks eBPF DaemonSet health. PASS when fully scheduled and ready

How it works

  1. The operator reads a Vanta API access token from the EU-hosted vault
  2. Every 5 minutes, it scans all non-system namespaces
  3. Pushes Deployment resources and test results to Vanta's Connectors API
  4. Refreshes expired tokens via OAuth2 token refresh

Partnership Goals

1. Vanta Marketplace Listing

Objective: List CloudTaser as a native Vanta integration in the Vanta marketplace, making it discoverable to Vanta's customer base.

Benefits:

  • Vanta customers seeking data sovereignty solutions discover CloudTaser directly in their compliance workflow
  • Reduces setup friction: one-click enablement vs. manual API token configuration
  • Vanta's marketplace serves as a distribution channel for EU-focused enterprises

Requirements:

  • Vanta Partner Application submission
  • Integration passes Vanta's technical review (API usage, data quality, error handling)
  • Marketing assets: integration description, logo, screenshots, use case documentation

2. SOC 2 Type II Mapping via Partner Access

Objective: Map CloudTaser's compliance tests directly to SOC 2 Trust Services Criteria within Vanta's framework, so customers see CloudTaser evidence mapped to specific SOC 2 controls.

Target mappings:

CloudTaser Test SOC 2 Criteria Description
Secrets not in etcd CC6.1 (Logical access security) Cryptographic keys not stored in cloud-provider-accessible storage
Workload coverage CC6.1, CC7.3 (System monitoring) Continuous monitoring of secret protection coverage
eBPF enforcement CC6.6 (Threat management), CC7.2 (Anomaly monitoring) Runtime enforcement blocking 20+ attack vectors

3. Co-Marketing

Objective: Joint content with Vanta demonstrating how CloudTaser + Vanta enables EU enterprises to achieve SOC 2 and GDPR compliance on US cloud providers.

Potential content:

  • Joint blog post: "How [Customer] achieved SOC 2 compliance on AWS while meeting Schrems II requirements"
  • Webinar: "EU Data Sovereignty Meets Compliance Automation"
  • Case study with an early CloudTaser + Vanta customer

Technical Integration Enhancement Plan

Phase 1: Current state (shipped)

  • Operator-based sync controller
  • Three compliance tests (secrets, coverage, eBPF)
  • OAuth2 token management via vault

Phase 2: Enhanced evidence

  • Push individual protection scores per workload as resource metadata
  • Push eBPF security events (SECRET_LEAK, PTRACE_DENIED, etc.) as audit log entries
  • Add test for S3 proxy encryption coverage
  • Add test for DB proxy encryption coverage

Phase 3: Marketplace integration

  • Submit Vanta Partner Application
  • Implement Vanta's marketplace integration requirements (if different from current Connectors API usage)
  • Provide OAuth2 app for one-click enablement (Vanta initiates the connection, not the customer)
  • Add configuration UI in CloudTaser SaaS platform

Phase 4: Framework expansion

  • Map CloudTaser tests to additional frameworks in Vanta:
    • ISO 27001 (A.8.24, A.8.12, A.8.9)
    • GDPR (Art. 32)
    • PCI DSS (Req 3, 7, 10)
    • HIPAA (where applicable for EU health tech)

Draft Outreach Email to Vanta Partnerships

Draft -- to be customized before sending

The email below is a starting point. Customize with specific metrics, customer references, and timing before sending.

To: [email protected]

Subject: CloudTaser + Vanta -- EU data sovereignty integration for SOC 2 and GDPR

Hi Vanta Partnerships Team,

I'm reaching out from CloudTaser (cloudtaser.io) about a partnership that would bring EU data sovereignty capabilities to Vanta's customer base.

What CloudTaser does: CloudTaser is a Kubernetes-native data sovereignty product. It ensures EU companies can use US cloud providers (AWS, GCP, Azure) with cryptographic guarantees that neither the provider nor US government can access their secrets. We use a mutating admission webhook to inject a sidecar that fetches secrets from EU-hosted vault into process memory -- secrets never touch etcd or Kubernetes Secrets. Our eBPF agent provides runtime enforcement blocking 20+ attack vectors.

Existing integration: We have already built a Vanta integration into our operator. It pushes Kubernetes Deployment resources and three compliance tests to Vanta via the Connectors API every 5 minutes:

  • Secrets not stored in Kubernetes etcd (maps to CC6.1)
  • Production workload protection coverage percentage (maps to CC6.1, CC7.3)
  • eBPF runtime enforcement active on all nodes (maps to CC6.6, CC7.2)

All Vanta API credentials are stored in our EU-hosted vault -- never in Kubernetes Secrets -- which is itself a compliance feature.

Partnership interest: We would like to explore:

  1. Marketplace listing -- making CloudTaser discoverable as a native Vanta integration so your customers seeking EU data sovereignty solutions find us within their compliance workflow
  2. SOC 2 control mapping -- mapping our compliance tests directly to SOC 2 Trust Services Criteria within Vanta, so customers see evidence mapped to specific controls
  3. Co-marketing -- joint content on achieving SOC 2 and GDPR compliance on US cloud providers with cryptographic sovereignty guarantees

Why this matters for Vanta customers: Post-Schrems II, EU enterprises on US cloud providers need technical supplementary measures to satisfy GDPR, NIS2, DORA, and the EU Data Act. CloudTaser provides those measures. Vanta automates the compliance evidence. Together, we close the loop: technical enforcement + automated compliance proof.

Our target market is EU enterprises (500-10K employees) running regulated workloads on managed Kubernetes -- financial services, healthcare, government, and SaaS. This overlaps significantly with Vanta's enterprise customer base.

Would you be open to a 30-minute call to explore the partnership? I'm happy to demo the existing integration and discuss the marketplace listing process.

Best regards,

[Name] [Title], skipOPS Ltd [Email] cloudtaser.io

Next Steps

  1. Send outreach email to Vanta partnerships team
  2. Prepare demo environment showing CloudTaser-to-Vanta sync in action
  3. Gather early customer references willing to be named in partnership discussions
  4. Begin Vanta Partner Application once initial contact is established
  5. Develop marketing assets (integration screenshots, logo, use case documentation)