Licensing,
in plain sight.
VCloud operates under PTA's class licensing framework, with the scope and the licence reference printed on every contract. This page is the public-facing summary of how we run that framework — what we comply with, what we don't, and how we handle the ambiguous cases.
What our licence covers — and what it doesn't.
We hold a class licence under the Pakistan Telecommunication Authority's Class Value Added Services (CVAS) and Long Distance & International (LDI) regimes. The CVAS scope authorises us to provide internet, data and managed network services; the LDI scope covers domestic long-distance carriage between cities, which is the regulatory basis for our DPLC and inter-city transit products.
What the licence does not cover: end-user mobile services, fixed-line voice, or anything that would put us into the LL (Local Loop) regime. We've kept our scope deliberately narrow because mixing carrier and consumer mandates makes compliance messier for everyone.
Our licence reference (CVAS-LDI-2019/0421) is printed on every MSA and quote. The PTA register lists VCloud (Pvt.) Ltd. as the licensed entity, with the registered office at Gulberg III, Lahore.
How we handle directed orders.
Lawful access requests
We respond to written, properly authorised requests under the relevant Pakistani statutes. We do not action verbal or unauthenticated requests. Our regulatory affairs team is the named recipient.
Content take-down / blocking
Where PTA issues a directed block at a URL, IP or prefix level, we apply the block at the edge of our network for the customers and traffic in scope. We don't run blanket DPI or content scanning across customer traffic.
Customer notification
Where we are not legally restricted from doing so, we notify the affected customer that an action has been taken on their service. This is part of our standard MSA.
Data retention
We retain CDR-style metadata (BGP session logs, NetFlow, port assignments) for the period required under our licence. We do not retain customer payload, packet captures or DPI extracts beyond what's necessary for ticket triage.
Cross-border data
Our infrastructure is in Pakistan. Where customer workloads need to leave the country, that is on the customer side; we provide the transport layer with no inspection.
Audit access
PTA inspections are coordinated through our regulatory affairs team. We support customer-side audits of our control posture under NDA, typically as part of bank or government RFPs.
ISO alignment, RPKI, and operational practice.
ISO 27001 alignment
Our information-security management system follows the ISO/IEC 27001:2022 controls. Formal certification scoped for FY2026; readiness audits ongoing.
Network operations security
Tiered access to NMS; MFA on all engineering accounts; bastion-only access to PE/P routers; full session recording for change windows.
Routing security
RPKI ROAs for every originated prefix; invalids dropped both ways. AS-SET kept current in RIPE. MANRS observable on PeeringDB.
DDoS posture
Volumetric attacks under 50 Gbps mitigated on-net; larger attacks scrubbed via upstream wash-in-place. RTBH community honoured for customer-driven blackhole.
DC physical security
Multi-factor at building, biometric at cage, CCTV with 30-day retention, escort policy for visitors.
Vendor management
All upstream and DC vendors bound by NDA and a data-handling addendum. Annual review of critical vendors.
Compliance questions we answer in RFPs.
Are you locally owned?
Do you have a data-protection officer?
How do you handle PTA-directed blocks of customer-hosted content?
Can I get a copy of your licence?
Are you ISO 27001 certified?
How is customer payload handled?
Need a compliance pack for your RFP?
Send us the questionnaire. We turn around the standard customer-due-diligence pack inside three business days, with redacted licence and posture documents under NDA.