Security

Our Commitment

Security is foundational to Vela Cloud Ltd. Our customers trust us with sensitive business pipeline data, funding information, and CRM records. We take that responsibility seriously and implement layered controls across infrastructure, access management, and data handling.

Infrastructure and Hosting

Vela Cloud Ltd runs entirely on a globally distributed edge cloud infrastructure with no self managed servers. Our hosting provider holds SOC 2 Type II and ISO 27001 certifications, providing enterprise grade physical and logical security controls. All compute and storage is isolated per deployment with no shared resources between customer environments.

Data Encryption

• lock
  In transit: All data transmitted between your browser and our platform is encrypted using TLS 1.2 or higher. Plain HTTP connections are not accepted.
• lock
  At rest: All stored data, including database records, uploaded files, and cached values, is encrypted at rest using AES-256.
• lock
  Credentials and tokens: OAuth tokens from CRM integrations are encrypted before being written to storage. We never store API keys or tokens in plaintext.

Authentication and Access Control

User authentication is handled by a SOC 2 Type II certified identity provider. We use short lived, cryptographically signed tokens that are verified on every API request. Sessions expire automatically after a period of inactivity. Multi factor authentication (MFA) is available to all users and recommended for all accounts.

Internal access to production systems is restricted to authorised personnel only, using role based permissions and audited access logs.

Tenant Isolation

Every request to our platform is authenticated and all database operations are strictly scoped to the verified tenant identity. There are no shared data paths between customer accounts. It is architecturally impossible for one customer's data to be accessed by another. Tenant boundaries are enforced at every layer of the stack, not just the application layer.

Third Party Integrations

CRM integrations use the OAuth 2.0 authorisation standard. We request only the minimum permission scopes required to perform synchronisation and do not request write access beyond what is necessary. You can revoke integration access at any time from the Settings page, which immediately terminates all data exchange with that system.

Vulnerability Management

We conduct regular dependency audits to identify and remediate known vulnerabilities in the software supply chain. Critical security patches are applied on an accelerated schedule. We review security advisories from our infrastructure and identity providers continuously.

An automated security audit and penetration test runs every week against both our source code and live API endpoints. Findings are reviewed and any Critical or High issues are remediated within 14 days. No code changes are applied without explicit review and approval.

OWASP Top 10 Controls

Our platform is designed and tested against the OWASP Top 10 web application security risks. Key controls include:

• security
  Injection (SQL, NoSQL): All database queries use parameterised statements via Cloudflare D1's prepared query API. String concatenation into SQL is prohibited and checked automatically.
• security
  Broken Authentication: Authentication uses Clerk issued RS256 signed JWTs, verified on every request via JWKS. Tokens are short lived and scoped. MFA is available to all users.
• security
  XSS (Cross Site Scripting): The frontend is built with React, which escapes all rendered output by default. dangerouslySetInnerHTML is not used. Content Security Policy headers are applied at the edge.
• security
  Broken Access Control: Every API request is authenticated and all database operations are strictly scoped to the authenticated tenant. There is no path by which one customer can access another's data.
• security
  Security Misconfiguration: Infrastructure is managed via code (Cloudflare Workers, wrangler). Secrets are stored in the Worker secrets store; never in source code or config files. Weekly automated scans check for misconfigurations.
• security
  Cryptographic Failures: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). OAuth tokens from CRM integrations are encrypted before storage. We do not store payment card data.
• security
  Rate Limiting: API rate limiting is enforced at the Cloudflare edge layer to protect against abuse and Denial of Service (DoS) attempts.

Compliance Posture

Compliance Roadmap

Vela Cloud Ltd has implemented internal security and compliance controls across access control, incident response, risk assessment, business continuity, and data protection. We are actively working toward independent third-party validation of these controls.

• SOC 2 Type II — Internal controls documented and in place. Third-party audit targeted for Q4 2026.
• ISO 27001 — Information Security Management System (ISMS) policies documented. Certification engagement targeted for Q4 2026.
• Penetration testing — Third-party penetration test planned for Q3 2026. Results summary will be made available to enterprise customers under NDA upon request.
• GDPR / Israeli PPL — Data processing agreements, retention policies, data subject rights procedures, and breach notification processes are in place. We work with legal counsel to maintain alignment with applicable regulations.

Enterprise customers requiring evidence of compliance controls — including our internal policy documents (access control, risk assessment, business continuity, incident response) — may request them from security@usevela.io.

Responsible Disclosure

We welcome responsible disclosure from security researchers. If you discover a potential vulnerability in Vela Cloud Ltd, please report it to security@usevela.io before making any public disclosure. We commit to:

• Acknowledging your report within 48 hours
• Providing a status update within 7 days
• Remediating confirmed critical vulnerabilities within 14 days
• Not pursuing legal action against researchers acting in good faith