Enterprise-grade
by design.
Security is not a feature — it's the foundation. Every architectural decision at Veld AI prioritizes the confidentiality, integrity, and availability of your data.
Compliance & Certifications
Audited annually by independent third-party auditors. Controls cover security, availability, and confidentiality.
Verified application compliance with Microsoft security standards. Published in Microsoft AppSource.
Full compliance with EU General Data Protection Regulation. Data processing agreements available for all customers.
Information security management system aligned with ISO 27001:2022 framework and controls.
California Consumer Privacy Act compliance including right to know, delete, and opt-out.
US data residency by default. EU-only residency available on Enterprise plans.
Security Architecture
Zero-Retention LLM
All LLM inference calls are stateless and ephemeral. Azure OpenAI is contractually prohibited from retaining, logging, or training on any customer data. Raw content is processed in-memory and never persisted.
Tenant Isolation
Each organization's data is logically isolated with separate encryption contexts, database schemas, and access control policies. Cross-tenant data access is architecturally impossible — not just policy-restricted.
Encryption Everywhere
TLS 1.3 for all data in transit (HSTS enforced, TLS 1.0/1.1 disabled). AES-256-GCM for data at rest. Database connections are encrypted with certificate pinning. Encryption keys are managed via Azure Key Vault with HSM backing.
Immutable Audit Trail
Every data access, agent execution, configuration change, and API call is logged to an immutable, append-only audit log. Logs retained for 1 year minimum. Enterprise customers receive real-time SIEM integration.
Human-in-the-Loop
DraftReplyAgent creates email drafts that sit in your inbox until explicitly approved. No automated emails are ever sent. All agent actions are reviewable and reversible from the dashboard.
Minimal Permissions
Veld requests only the minimum Microsoft Graph API scopes required for functionality. Mail.Read (not Mail.ReadWrite), Calendars.Read, OnlineMeetings.Read, and User.Read. No admin consent required.
Access Control
- Role-Based Access Control (RBAC): Admin, Member, and Read-Only roles with granular, feature-level permissions. Admins can customize role permissions per team.
- Single Sign-On (SSO): Enterprise plans support Azure AD, Okta, Google Workspace, and any SAML 2.0 / OIDC-compliant identity provider.
- Multi-Factor Authentication (MFA): MFA enforced for all admin accounts. Configurable MFA policy for all team members on Enterprise plans. Supports TOTP and hardware security keys (FIDO2).
- API Key Management: Keys scoped per-organization with role-based rate limits. Keys can be rotated, revoked, and audited. IP allowlisting available on Enterprise plans.
- Session Management: Configurable session timeout (default: 24 hours). Forced re-authentication for sensitive operations. Active session visibility and remote logout capability.
Infrastructure
- Cloud Provider: Microsoft Azure — SOC 2, ISO 27001, ISO 27018, FedRAMP High, HIPAA, and PCI DSS certified.
- Network Security: Private virtual networks (VNets) with network security groups (NSGs). All services run in isolated subnets with no public internet exposure. Azure DDoS Protection Standard enabled.
- Container Security: Application containers run with read-only filesystems, non-root users, and minimal base images. Container images are scanned for vulnerabilities before deployment.
- Database Security: Azure PostgreSQL with forced TLS, transparent data encryption (TDE), automated backups, and point-in-time recovery. Connection strings stored in Azure Key Vault.
- Backups: Automated daily backups with 30-day retention. Point-in-time recovery available. Backups are encrypted and stored in a separate Azure region for disaster recovery.
- Monitoring: 24/7 infrastructure monitoring. Automated alerting for anomalous CPU, memory, network, and error-rate patterns. Incident response within 15 minutes for P1 issues.
Application Security
- Secure Development Lifecycle: Mandatory code review for all changes. Static analysis (SAST), dependency scanning, and secret detection integrated into CI/CD pipeline.
- Penetration Testing: Annual third-party penetration testing by certified security firms. Additional automated vulnerability scanning on every deployment.
- Input Validation: All API inputs are validated, sanitized, and type-checked. Protection against SQL injection, XSS, CSRF, and SSRF attacks.
- Dependency Management: Automated dependency updates. All dependencies audited for known vulnerabilities (CVEs) before merge.
- Rate Limiting: Per-API-key and per-IP rate limiting to prevent abuse and ensure fair usage across all customers.
Incident Response
- Response Time: P1 (data breach or complete outage): 15-minute response, 4-hour resolution target. P2 (partial service degradation): 1-hour response. P3 (non-critical): next business day.
- Notification: Affected customers are notified within 72 hours of a confirmed data breach, as required by GDPR and applicable regulations.
- Post-Incident Review: Root cause analysis (RCA) published within 5 business days of incident resolution. Remediation steps documented and tracked to completion.
- Status Page: Real-time service status available at status.veldai.io with historical uptime data and incident timeline.
Responsible Disclosure
If you discover a security vulnerability in Veld AI, we encourage responsible disclosure. Please report it to security@veldai.io. We commit to:
- Acknowledge receipt within 24 hours
- Provide an initial assessment within 48 hours
- Keep you informed of remediation progress
- Credit you in our security advisories (with your consent)
- Not pursue legal action against good-faith security researchers
Security Contact
Wavestar Holdings LLC
Security Team: security@veldai.io
Privacy: privacy@veldai.io
For our data handling practices, see our Privacy Policy.