Home Integrations Vercel Integration User Guide

Vercel Integration User Guide

Last updated on Feb 04, 2026

Overview

Humadroid's Vercel integration automatically collects compliance evidence from your Vercel deployment platform. Once connected, it continuously monitors your Vercel team configuration, project settings, and security controls to gather evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks.

Key Benefits

  • Automated evidence collection - No more manual screenshots or exports

  • Compliance-focused collection - Evidence collected on schedule (monthly)

  • Auto-verification - Many evidence sources are automatically checked against compliance rules

  • Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001

  • Plan-aware - Automatically adapts to your Vercel plan (Hobby/Pro/Enterprise)

Security Model

  • Read-only access - Humadroid cannot modify your Vercel settings or deployments

  • Dual authentication options - OAuth integration (recommended) or API Token

  • Team-scoped access - Access limited to selected team only

  • Encrypted credential storage - Credentials encrypted at rest

  • Easily revocable - Disconnect anytime from Humadroid or revoke from Vercel

Evidence Sources

The Vercel integration collects 10 distinct evidence types across three categories:

Access Control

Team Members & Roles

  • Description: Collects team membership and role assignments for access control evidence

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: All plans

RBAC Configuration

  • Description: Documents role-based access control configuration and custom roles

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: All plans

Project Access Settings

  • Description: Collects project-level access restrictions and team assignments

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: All plans

SSO/SAML Configuration

  • Description: Collects SSO enforcement status and SAML configuration

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: Enterprise only

Deployment Security

Deployment Protection

  • Description: Collects deployment protection settings including authentication requirements

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: All plans (limited on Hobby)

Environment Variables

  • Description: Inventories environment variables and validates sensitive variable protection

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: All plans

Network Security

WAF Status

  • Description: Collects Web Application Firewall enablement status across projects

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: Pro+

WAF Rules

  • Description: Collects custom WAF rules and managed rule configurations

  • Frequency: Monthly

  • Auto-Verify: No (manual review recommended)

  • Plan Required: Pro+

IP Blocking Rules

  • Description: Collects IP blocking and allowlist configurations

  • Frequency: Monthly

  • Auto-Verify: Yes

  • Plan Required: All plans (limits vary by plan)

Audit & Monitoring

Audit Logs

  • Description: Team activity audit logs for security monitoring

  • Frequency: Monthly

  • Auto-Verify: No (manual review required)

  • Plan Required: Enterprise only

SOC 2 Control Coverage

The Vercel integration provides evidence for the following SOC 2 (2017) Trust Services Criteria:

CC6 - Logical and Physical Access Controls

CC6.1 - Logical Access Security

The entity implements logical access security software, infrastructure, and architectures to protect information assets

  • Team Members & Roles - Access policies enforce least-privilege principles

  • RBAC Configuration - Role-based access controls are properly configured

  • Project Access Settings - Project-level access is restricted appropriately

  • SSO/SAML Configuration - Enterprise SSO enforces strong authentication

CC6.2 - User Registration and Authorization

Prior to issuing system credentials and granting access, the entity registers and authorizes new users

  • Team Members & Roles - Complete inventory of users with access and role assignments

  • Audit Logs - User registration and authorization events are logged (Enterprise)

CC6.3 - Removal of Access Rights

The entity removes credentials and disables system access when no longer required

  • RBAC Configuration - Role changes and access modifications documented

  • Audit Logs - Access revocation events are logged (Enterprise)

CC6.6 - Logical Access Security Measures

The entity implements controls to prevent or detect and act upon unauthorized logical access

  • Project Access Settings - Project-level access restrictions prevent unauthorized access

  • Deployment Protection - Deployments are protected from unauthorized access

  • WAF Status - Web Application Firewall protects against attacks (Pro+)

  • WAF Rules - Custom WAF rules provide application-level protection (Pro+)

  • IP Blocking Rules - Network-level access restrictions are configured

CC6.7 - Data Transmission Controls

The entity restricts transmission and movement of data

  • Environment Variables - Sensitive data is properly protected and encrypted

CC7 - System Operations

CC7.2 - Security Event Logging

The entity identifies and logs security events

  • Audit Logs - Security events are recorded (Enterprise)

CC8 - Change Management

CC8.1 - Change Management

The entity authorizes, documents, and controls infrastructure changes

  • Deployment Protection - Deployment changes require appropriate authorization

  • Audit Logs - Infrastructure changes are logged (Enterprise)

ISO 27001:2022 Control Coverage

The Vercel integration provides evidence for the following ISO 27001:2022 Annex A controls:

A.5 - Organizational Controls

A.5.15 - Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented

  • Team Members & Roles - Access policies enforce security requirements

  • RBAC Configuration - Role-based access control is implemented

  • Project Access Settings - Project-level access is controlled

  • SSO/SAML Configuration - Strong authentication is enforced (Enterprise)

A.5.16 - Identity Management

The full life cycle of identities shall be managed

  • Team Members & Roles - Complete inventory of identities

  • Audit Logs - Identity lifecycle events are tracked (Enterprise)

A.5.17 - Authentication Information

Allocation and management of authentication information shall be controlled

  • SSO/SAML Configuration - Authentication is properly configured (Enterprise)

  • Deployment Protection - Deployment authentication requirements

A.5.18 - Access Rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed

  • RBAC Configuration - Access rights are managed through roles

  • Audit Logs - Access changes are logged (Enterprise)

A.5.23 - Information Security for Use of Cloud Services

Processes for acquisition, use, management and exit from cloud services shall be established

  • WAF Status - Cloud security controls are configured (Pro+)

  • Deployment Protection - Cloud deployments are protected

  • Audit Logs - Cloud service usage is logged (Enterprise)

A.8 - Technological Controls

A.8.3 - Information Access Restriction

Access to information and other associated assets shall be restricted

  • Project Access Settings - Project data access is restricted

  • Deployment Protection - Deployment access is controlled

  • IP Blocking Rules - Network access is restricted

A.8.9 - Configuration Management

Configurations, including security configurations, shall be established, documented, implemented, monitored and reviewed

  • WAF Status - Security configurations are documented (Pro+)

  • WAF Rules - Custom security rules are configured (Pro+)

A.8.12 - Data Leakage Prevention

Data leakage prevention measures shall be applied

  • Environment Variables - Sensitive variables are protected

  • Deployment Protection - Unauthorized access to deployments is prevented

A.8.15 - Logging

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed

  • Audit Logs - Activity logs are maintained (Enterprise)

A.8.16 - Monitoring Activities

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken

  • WAF Status - Security monitoring via WAF (Pro+)

A.8.20 - Networks Security

Networks and network devices shall be secured, managed and controlled

  • WAF Status - Web Application Firewall provides network protection (Pro+)

  • WAF Rules - Network security rules are configured (Pro+)

  • IP Blocking Rules - Network access is controlled

A.8.21 - Security of Network Services

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored

  • WAF Status - Network service security is monitored (Pro+)

  • IP Blocking Rules - Network service access is controlled

Verification Rules

Auto-verified evidence sources are checked against the following compliance thresholds:

Team Members & Roles

  • All team members have assigned roles: Required

  • No orphaned or inactive members: Flagged

  • Admin role usage: Documented and reviewed

RBAC Configuration

  • Custom roles follow least-privilege: Recommended

  • Role assignments documented: Required

  • Sensitive permissions (billing, team management): Flagged for review

Project Access Settings

  • Project access restricted to authorized teams: Required

  • No overly permissive project settings: Flagged

  • Production project restrictions: Recommended

Deployment Protection

  • Production environments protected: Required

  • Authentication required for preview deployments: Recommended

  • Password protection configured: Optional

Environment Variables

  • Sensitive variables marked as secret: Required

  • Production secrets properly scoped: Required

  • No plaintext credentials: Required

  • Environment separation (dev/staging/prod): Recommended

SSO/SAML Configuration (Enterprise)

  • SSO enforcement enabled: Required

  • SAML configuration valid: Required

  • Identity provider properly configured: Required

WAF Status (Pro+)

  • WAF enabled on production projects: Required

  • WAF mode set to active (not monitor-only): Recommended

  • All public-facing projects protected: Required

WAF Rules (Pro+)

  • OWASP Core Rule Set enabled: Recommended

  • Custom rules reviewed: Manual verification

  • Rule exceptions documented: Required

IP Blocking Rules

  • Blocking rules configured: Optional

  • Allowlist properly scoped: Recommended

  • Geographic restrictions (if applicable): Documented

Audit Logs (Enterprise)

  • Audit logging enabled: Required

  • Log retention appropriate: Recommended

  • Regular log review: Manual verification

Summary: Control Coverage Matrix

SOC 2 Controls by Evidence Source

Team Members & Roles

  • CC6.1: Yes

  • CC6.2: Yes

RBAC Configuration

  • CC6.1: Yes

  • CC6.3: Yes

Project Access Settings

  • CC6.1: Yes

  • CC6.6: Yes

Deployment Protection

  • CC6.6: Yes

  • CC8.1: Yes

Environment Variables

  • CC6.7: Yes

SSO/SAML Configuration (Enterprise)

  • CC6.1: Yes

WAF Status (Pro+)

  • CC6.6: Yes

WAF Rules (Pro+)

  • CC6.6: Yes

IP Blocking Rules

  • CC6.6: Yes

Audit Logs (Enterprise)

  • CC6.2: Yes

  • CC6.3: Yes

  • CC7.2: Yes

  • CC8.1: Yes

ISO 27001 Controls by Evidence Source

Team Members & Roles

  • A.5.15: Yes

  • A.5.16: Yes

RBAC Configuration

  • A.5.15: Yes

  • A.5.18: Yes

Project Access Settings

  • A.5.15: Yes

  • A.8.3: Yes

Deployment Protection

  • A.5.17: Yes

  • A.5.23: Yes

  • A.8.3: Yes

  • A.8.12: Yes

Environment Variables

  • A.8.12: Yes

SSO/SAML Configuration (Enterprise)

  • A.5.15: Yes

  • A.5.17: Yes

WAF Status (Pro+)

  • A.5.23: Yes

  • A.8.9: Yes

  • A.8.16: Yes

  • A.8.20: Yes

  • A.8.21: Yes

WAF Rules (Pro+)

  • A.8.9: Yes

  • A.8.20: Yes

IP Blocking Rules

  • A.8.3: Yes

  • A.8.20: Yes

  • A.8.21: Yes

Audit Logs (Enterprise)

  • A.5.16: Yes

  • A.5.18: Yes

  • A.5.23: Yes

  • A.8.15: Yes

Additional ISO 27001 Control Coverage

A.5.23 - Cloud Services Security

  • WAF Status (Pro+): Yes

  • Deployment Protection: Yes

  • Audit Logs (Enterprise): Yes

A.8.16 - Monitoring Activities

  • WAF Status (Pro+): Yes

A.8.21 - Security of Network Services

  • WAF Status (Pro+): Yes

  • IP Blocking Rules: Yes

Getting Started

To set up the Vercel integration:

  1. Navigate to Settings > Integrations > Vercel

  2. Click Connect Vercel Account

  3. Choose your authentication method:

    • OAuth (Recommended): Click "Connect with Vercel" for one-click authorization

    • API Token: Manually create and enter a Vercel API token

  4. Select the team to monitor (if your account has multiple teams)

  5. Validate the connection

  6. Enable evidence sources for your compliance controls

Option 1: OAuth Connection (Recommended)

  1. Click Connect with Vercel button

  2. You'll be redirected to Vercel to authorize Humadroid

  3. Grant read-only access to your Vercel account

  4. You'll be automatically redirected back to Humadroid

  5. Select a team if you have multiple teams

This method provides automatic token management and scoped permissions.

Option 2: API Token (Manual)

  1. Log into your Vercel Dashboard

  2. Go to Account Settings > Tokens

  3. Click Create to create a new token

  4. Name: "Humadroid Compliance Read-Only"

  5. Scope: Select Full Account for team access

  6. Expiration: "No Expiration" recommended for automated collection

  7. Click Create Token

  8. Copy the token immediately (it won't be shown again)

Vercel Permissions Required

The integration requires read-only permissions via OAuth or an API Token with Full Account scope:

Required Scopes

  • Team:Read - Access team membership and settings

  • Projects:Read - Access project configurations

  • Deployments:Read - Access deployment settings

  • Firewall:Read - Access WAF and IP blocking rules (Pro+)

Vercel Plan Feature Matrix

Hobby Plan

Available Features:

  • Team Members & Roles

  • RBAC Configuration (basic roles)

  • Project Access Settings

  • Deployment Protection (limited)

  • Environment Variables

  • IP Blocking Rules (10 IPs max)

Not Available:

  • WAF Status

  • WAF Rules

  • SSO/SAML Configuration

  • Audit Logs

Pro Plan

Available Features:

  • Team Members & Roles

  • RBAC Configuration

  • Project Access Settings

  • Deployment Protection (full features)

  • Environment Variables

  • IP Blocking Rules (100 IPs max)

  • WAF Status

  • WAF Rules (40 rules max)

Not Available:

  • SSO/SAML Configuration

  • Audit Logs

Enterprise Plan

All Features Available:

  • Team Members & Roles

  • RBAC Configuration (custom roles)

  • Project Access Settings

  • Deployment Protection (full features)

  • Environment Variables

  • IP Blocking Rules (custom limits)

  • WAF Status

  • WAF Rules (1000 rules max)

  • SSO/SAML Configuration

  • Audit Logs

  • SIEM Streaming

  • Trusted IPs

Troubleshooting

Common Issues

"Invalid API Token"

  • Verify the token was copied correctly (no extra spaces)

  • Check if the token has expired

  • Ensure the token has Full Account scope

"No teams found"

  • The API token may be personal-only; create a team-scoped token

  • Verify you have access to at least one team

"WAF data not available"

  • WAF features require Pro plan or higher

  • Ensure the Firewall:Read scope is included

"SSO/Audit data not available"

  • These features require Enterprise plan

  • Contact Vercel to upgrade if needed