diff --git a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyEntity.java b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyEntity.java
new file mode 100644
index 0000000..df4a35b
--- /dev/null
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyEntity.java
@@ -0,0 +1,39 @@
+package net.siegeln.cameleer.saas.vendor;
+
+import jakarta.persistence.*;
+import java.time.Instant;
+
+@Entity
+@Table(name = "vendor_auth_policy")
+public class VendorAuthPolicyEntity {
+
+    @Id
+    @Column(name = "id")
+    private Integer id = 1;
+
+    @Column(name = "mfa_mode", nullable = false)
+    private String mfaMode = "off";
+
+    @Column(name = "passkey_enabled", nullable = false)
+    private boolean passkeyEnabled = false;
+
+    @Column(name = "passkey_mode", nullable = false)
+    private String passkeyMode = "optional";
+
+    @Column(name = "updated_at", nullable = false)
+    private Instant updatedAt = Instant.now();
+
+    @PreUpdate
+    void onUpdate() {
+        this.updatedAt = Instant.now();
+    }
+
+    public Integer getId() { return id; }
+    public String getMfaMode() { return mfaMode; }
+    public void setMfaMode(String mfaMode) { this.mfaMode = mfaMode; }
+    public boolean isPasskeyEnabled() { return passkeyEnabled; }
+    public void setPasskeyEnabled(boolean passkeyEnabled) { this.passkeyEnabled = passkeyEnabled; }
+    public String getPasskeyMode() { return passkeyMode; }
+    public void setPasskeyMode(String passkeyMode) { this.passkeyMode = passkeyMode; }
+    public Instant getUpdatedAt() { return updatedAt; }
+}
diff --git a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyRepository.java b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyRepository.java
new file mode 100644
index 0000000..328e7ba
--- /dev/null
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyRepository.java
@@ -0,0 +1,13 @@
+package net.siegeln.cameleer.saas.vendor;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+
+public interface VendorAuthPolicyRepository extends JpaRepository<VendorAuthPolicyEntity, Integer> {
+
+    default VendorAuthPolicyEntity getPolicy() {
+        return findById(1).orElseGet(() -> {
+            var policy = new VendorAuthPolicyEntity();
+            return save(policy);
+        });
+    }
+}