Security
Your data is our responsibility
Enterprise-grade security on every plan. SOC 2 certified, GDPR compliant, and built with zero-trust principles.
Encryption
AES-256 encryption at rest, TLS 1.3 in transit. Database connections use certificate pinning.
SOC 2 Type II
Annual audit by independent firm. Penetration testing quarterly. Report available under NDA.
Audit logs
Every action logged with actor, timestamp, IP, and user agent. 90-day retention, extendable on Enterprise.
Infrastructure
Hosted on AWS (US-East-1, EU-West-1). VPC isolation, WAF, and DDoS protection via CloudFront.
Access control
RBAC with workspace admin, member, and viewer roles. SSO via SAML 2.0 and OIDC. SCIM provisioning.
Data processing
GDPR, CCPA, and UK GDPR compliant. DPA available on request. Sub-processor list maintained publicly.
Responsible disclosure
Found a vulnerability? Report it to security@velopm.app. We respond within 24 hours and offer bounties for qualifying reports.