Veirox
Start free

Security & compliance

Built for teams that
ship under audit.

Data protection, access control, and observability designed so your security review passes on the first round — and stays that way as your platform grows.

SOC 2 Type II — in progress
GDPR-ready
HIPAA BAA — Enterprise
99.9% SLA — Business

Data encryption

TLS 1.3 in transit. AES-256 at rest. Per-project encryption keys for secrets, integration tokens, and sensitive attachments.

Tenant isolation

Strict project-level separation enforced at the database layer, not application logic. Cross-tenant access is unreachable by construction, verified by continuous tests.

Identity & access

OAuth SSO (Google, Microsoft) on every plan. SAML SSO, SCIM provisioning, and role-based access control on Business and Enterprise. MFA through your IdP.

Human-in-the-loop guardrails

Every destructive action runs through an approval workflow. must_always / must_never rules enforced at runtime. Every approval captures reasoning and evidence.

Audit & observability

Every tool call, approval, notification, and state change is logged. Session transcripts exportable as Markdown or PDF. SIEM-ready audit-log export on Business and above.

PII protection

Field-level redaction applied before payloads touch disk. Per-webhook retention bounds (7–365 days). Metadata-only mode for high-sensitivity sources. One-click payload purge for DSR / GDPR requests.

Secrets vault

Credentials never appear in model context, UI, or logs. The agent references secrets by friendly name; the raw value is read at runtime and discarded. Every access is audited.

Data residency

US and EU hosting regions on Enterprise. Private-cloud or on-prem deployment available for regulated workloads and air-gapped environments.

Compliance program

SOC 2 Type II audit in progress. GDPR-ready controls shipped. HIPAA BAA available under Enterprise. Latest pentest report and trust docs available under NDA.

Webhook ingress

Cryptographic verification on every delivery.

Every webhook is signed, verified, and rate-limited before touching your project. Tampered requests are rejected with a clear reason you can debug in the Signature Playground.

HMAC-SHA256

Constant-time comparison

Native per provider — GitHub, Grafana, Datadog, Sentry, generic HMAC. No timing-leak via hmac.compare_digest.

Replay protection

Timestamp tolerance windows

Stripe-style signatures enforce a configurable timestamp window. Late replays rejected at ingress before the payload is parsed.

Token rotation

Zero-downtime rotation

Rotate any webhook secret with a configurable grace window — the old token keeps working while you update every consumer.

Idempotency

Duplicate delivery safe

Duplicate deliveries with the same idempotency key return the same result — no double-dispatch, no double-billing.

Rate limiting

Per-source sliding window

Precise sliding-window counters per webhook. 429 responses carry Retry-After; chatty providers never crowd out critical ones.

Retention

Automatic sweep

Per-webhook retention (7 to 365 days) enforced by a daily job. Expired events purged completely — payload, headers, all.

Shared responsibility

Who handles what.

Veirox handles

  • Platform security (encryption, isolation, patching)
  • Infrastructure availability and SLA
  • Webhook signature verification
  • Credential encryption and access audit
  • SIEM-ready audit export
  • Compliance program (SOC 2, GDPR, HIPAA)
  • Incident response and customer notification

You handle

  • Your project configuration and policies
  • Approval rules (must_always, must_never)
  • User provisioning and deprovisioning
  • Least-privilege on integration credentials
  • Retention policy per webhook / project
  • Operator training on agent boundaries
  • Veirox Connect host security (when deployed)

Questions for our security team?

Request our latest SOC 2 status, pentest summary, DPA, subprocessors list, or a vendor questionnaire response. We reply within one business day.

Request trust docs Responsible disclosure