Last updated: October 2025
Overview
VendorPilot is a platform operated by Bendi Software Ltd (“Bendi”, “we”, “our”, “us”). This statement explains how we handle the information and documents that you upload or provide whilst using VendorPilot. Bendi is a UK-registered company (Company number: 12814542) and this statement is governed by the laws of England and Wales.Who owns your data
All information, files and documents that you upload to VendorPilot remain your property or the property of your organisation. Bendi acts only as a data processor. We handle your data on your behalf and under your instructions. We do not claim ownership, reuse or sell your information for any purpose outside the operation of VendorPilot. You maintain full control over:What data is uploaded or shared;
When data is removed or deleted; and
Who within your organisation is authorised to access it.
If you close your VendorPilot account or your relationship with the inviting organisation ends, you may request that we delete or export your data in line with our normal data retention procedures.
Who can view your data
Access to your information within VendorPilot is limited and controlled. The following parties may view data or documents you upload:
You and your organisation
You can access all data that you upload, including any supporting documents, responses and history associated with your account. Your organisation’s administrators can manage permissions for your internal users.The inviting organisation (your client or customer)
When you respond to a data request, survey or questionnaire issued through VendorPilot, your uploaded information is shared only with the organisation(s) that initiated that request. They can view your submitted materials to assess compliance, validate responses and maintain supplier records.The Bendi team
Authorised members of the Bendi team may access your data only when necessary for:
- Troubleshooting technical issues;
- Providing customer support to you or your client;
- Verifying system integrity and data quality; and
- Maintaining, securing and improving the VendorPilot platform.
Bendi staff access is controlled, monitored and restricted to personnel with a need to know. Bendi personnel are bound by strict confidentiality agreements and internal access controls that align with recognised information-security standards.
Bendi will never use your data for any purpose unrelated to providing or maintaining VendorPilot.How your data is protected
We apply multiple layers of security to ensure that your information remains safe, private and intact throughout its lifecycle. This includes:Encryption: all data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256) within our cloud infrastructure.
Access controls: data access is limited to authorised users and Bendi personnel using unique credentials, multi-factor authentication and least-privilege principles.
Secure hosting: VendorPilot is hosted on Google Cloud Platform. Bendi’s terms of use with VertexAI, Google’s flagship AI product, means that they cannot train their models on the data we give it. Google Cloud Platform operates according to certified compliance frameworks including ISO 27001, SOC 2 and PCI-DSS, as well as GDPR-aligned data processing.
Monitoring and logging: we monitor system activity and maintain audit logs of data access and modifications.
Regular testing: we conduct periodic vulnerability scanning and security testing to identify and address potential risks.
Data segregation: each client’s data is logically separated to prevent unauthorised cross-access between tenants.
Where your data is stored
Your data may be stored and processed in multiple jurisdictions (such as the UK, EU and other regions) using trusted third-party infrastructure provided by Google Cloud Platform. We rely on cloud-provider managed gateways, with built-in services such as Google Cloud Armor, which provide DDoS mitigation, Web Application Firewall (WAF) capabilities and policy-driven access controls. Where data is transferred internationally, we implement appropriate safeguards consistent with applicable data protection laws (e.g. UK GDPR / EU GDPR).Data use and retention
We process your data solely to deliver and improve the VendorPilot service. We never sell or share your data with third parties for marketing or for any other purposes. Data is retained only as long as needed to provide the service or as required by law.Your rights
Depending on your location, you may have rights to access, correct, delete or export your data. To exercise these rights, or for privacy-related questions, contact us at legal@bendi.ai.Updates
We may update this statement from time to time. Material changes will be communicated within the platform or by email.
