VCRI Logo ValueChainRisk.org
Executive Overview Technical Overview ISMAP Alignment Japan 2026 Deck

Trust Brief · February 2026

Data Security

How VCRI Holds Vendor Data in Escrow — and What Clients Never See

Trust Architecture
TLP: WHITE · Public
🔐

The Escrow Principle

VCRI operates as a neutral trusted third party. Vendors submit operational telemetry — vulnerability scan outputs, SIEM event counts, GRC control attestations — directly to VCRI's escrow environment. That raw data never leaves the escrow boundary. What clients receive is a score: a normalized, dollar-denominated posture signal derived from the data, not the data itself.

This architecture is deliberate. A vendor sharing data with VCRI is not sharing it with their customers, their competitors, or the public. The data flows in one direction, and the intelligence flows out in another — as a trust score that reveals nothing about the underlying system.

Data Flow Architecture — Four Separated Layers

LAYER 1 — VENDOR ENVIRONMENT

Vendor's own systems: SIEM, VM platform, GRC tool, EDR. Data never leaves vendor control without vendor action. Vendor initiates the data pull; VCRI cannot reach in.

Vendor-controlled
Encrypted TLS 1.3 · Vendor-authorized pull
LAYER 2 — VCRI ESCROW ENVIRONMENT

Raw telemetry stored encrypted at rest (AES-256). Access requires VCRI system credentials only. No client, no competitor, no human analyst reads raw data. Retention period defined per vendor agreement.

VCRI-only access
Automated scoring pipeline · No human access
LAYER 3 — SCORING ENGINE (CAM)

CyberAssuranceMatrix processes raw telemetry, applies TIPPSS dimensional scoring and CMM maturity levels, normalizes via SCF crosswalk. Produces: one composite score + six dimensional sub-scores + VCAR figure. Raw data does not flow forward.

Automated only
Score delivery only · No raw data
LAYER 4 — CLIENT DASHBOARD

Procuring agency sees: CAM composite score (0–100), dimensional scores per TIPPSS axis, VCAR dollar exposure, trend over time. No raw system data. No individual vulnerability names. No internal configuration details.

Score only

What Flows Where

Into VCRI Escrow (from vendor):

  • Vulnerability scan summary counts (not CVE details)
  • SIEM alert volume and category aggregates
  • GRC control status flags (pass/fail/partial)
  • Patch cycle cadence data
  • Training completion rates

Out to Client (from VCRI):

  • CAM composite posture score
  • Six TIPPSS dimensional sub-scores
  • VCAR Dollar-at-Risk figure
  • Score trend over time
  • Relative peer benchmarks (anonymized)

Never accessible to clients:

  • Raw vulnerability scan output
  • System architecture or config data
  • Individual CVE names or exploit details
  • Staff names, credentials, or HR data
  • Any data from vendor's competitors

Technical Controls

🔒

Encryption at rest and in transit

AES-256 at rest. TLS 1.3 in transit. Vendor-specific encryption keys — VCRI cannot decrypt one vendor's data with another vendor's key.

🌐

Data residency options

Japan-hosted deployment available for government and regulated-industry participants. Data does not leave jurisdiction without explicit vendor authorization.

🔑

Vendor-controlled access

Vendor configures which clients may view their VCRI score. A vendor can grant access to one customer, ten customers, or no customers. They can revoke access at any time.

🗑️

Right to deletion

Vendors may request deletion of their escrow data at any time. Deletion is executed within 30 days and confirmed by audit log. Score history is tombstoned, not transferred.

Governance & Liability

⚖️

Non-profit structure as structural safeguard

VCRI is a 501(c)(3) non-profit. There is no financial incentive to monetize vendor data, sell scores to third parties, or share data with commercial partners. Mission is the only output.

📋

Vendor audit rights

Participating vendors have the right to audit VCRI's handling of their data, including requesting access logs showing what data was read, when, and by which system processes.

🛡️

Breach notification and liability

Vendor agreements define breach notification SLAs (72-hour notice for confirmed breaches). VCRI carries cyber liability insurance covering escrow data. Agreements specify indemnification terms.

🏛️

Oversight board

VCRI's board includes Oracle's former 25-year CSO (Mary Ann Davidson) and CISO of Indiana University Health (Mitch Parker). Independent security oversight of data handling practices.

Questions We Hear from Government Evaluators

Q: Can a competitor access my vendor's data?

No. VCRI escrow is vendor-specific. Competing vendors have separate encrypted storage. Client access is granted only per vendor authorization. The scoring engine sees aggregate data patterns; no competitive intelligence is surfaced.

Q: Does VCRI have human analysts reading vendor data?

No. The escrow-to-score pipeline is fully automated. The CyberAssuranceMatrix scoring engine processes telemetry algorithmically. VCRI staff access audit logs for operational integrity, not vendor content.

Q: What if a vendor's data reveals a critical vulnerability?

VCRI does not hold individual CVE data. The scoring engine sees aggregates and category counts. A vendor's score may drop significantly, which alerts the procuring agency — but the reason is expressed as a dimensional score decline, not a named vulnerability. The vendor receives a private remediation flag directly.

Q: Where is data stored? Can it be hosted in Japan?

Yes. VCRI supports in-country deployment for government-affiliated participants. Japan-based government agencies and their vendors can operate within a Japan-hosted instance, with no data leaving Japanese jurisdiction without explicit authorization and bilateral data transfer agreement.

Q: What data does VCRI require vendors to submit?

Only what is necessary to score the six CAM dimensions. Aggregated counts and categorical flags — not raw logs, not configuration files, not source code, not PII. The minimum viable telemetry set is defined in the vendor onboarding agreement and auditable.

Q: How does VCRI prevent insider threat to escrow data?

Access to raw escrow data requires multi-party authorization (no single VCRI employee can access vendor data unilaterally). All access is logged immutably. The board's CSO-level members conduct annual security reviews of escrow access controls. Vendors may inspect their own access logs on request.

The Vendor Benefit: Portable Trust

The escrow model creates a structural incentive for vendors to participate — and to allow automated data pull rather than manual questionnaire submission.

Submit data to VCRI once

Share VCRI score with any customer who requests it

0

Questionnaires to fill out for each customer

A vendor serving 50 government clients would typically receive 50 separate security questionnaires per year. With VCRI, they answer once — to VCRI. All 50 clients read from the same score. Transparency becomes the rational choice.

Assurance Documents Available

Data Processing Agreement (DPA) template

Minimum telemetry specification (what data VCRI requires per CAM dimension)

Access control architecture diagram (escrow boundary specification)

Sample vendor audit log report (showing what VCRI can provide on request)

Security questions:

info@valuechainrisk.org

ValueChainRisk.org

VCRI

Value Chain Risk Institute

Secure the Value, Not Just the Network.

Data Security & Escrow Trust Brief · February 2026 · Non-Profit 501(c)(3)

TLP:WHITE — May be shared freely