Security

Our Commitment

Security is foundational to Vela. Our customers trust us with sensitive business pipeline data, funding information, and CRM records. We take that responsibility seriously and implement layered controls across infrastructure, access management, and data handling.

Infrastructure and Hosting

Vela runs entirely on a globally distributed edge cloud infrastructure with no self-managed servers. Our hosting provider holds SOC 2 Type II and ISO 27001 certifications, providing enterprise-grade physical and logical security controls. All compute and storage is isolated per deployment with no shared resources between customer environments.

Data Encryption

• lock
  In transit: All data transmitted between your browser and our platform is encrypted using TLS 1.2 or higher. Plain HTTP connections are not accepted.
• lock
  At rest: All stored data — including database records, uploaded files, and cached values — is encrypted at rest using AES-256.
• lock
  Credentials and tokens: OAuth tokens from CRM integrations are encrypted before being written to storage. We never store API keys or tokens in plaintext.

Authentication and Access Control

User authentication is handled by a SOC 2 Type II certified identity provider. We use short-lived, cryptographically signed tokens that are verified on every API request. Sessions expire automatically after a period of inactivity. Multi-factor authentication (MFA) is available to all users and recommended for all accounts.

Internal access to production systems is restricted to authorised personnel only, using role-based permissions and audited access logs.

Tenant Isolation

Every request to our platform is authenticated and all database operations are strictly scoped to the verified tenant identity. There are no shared data paths between customer accounts — it is architecturally impossible for one customer's data to be accessed by another. Tenant boundaries are enforced at every layer of the stack, not just the application layer.

Third-Party Integrations

CRM integrations use the OAuth 2.0 authorisation standard. We request only the minimum permission scopes required to perform synchronisation and do not request write access beyond what is necessary. You can revoke integration access at any time from the Settings page, which immediately terminates all data exchange with that system.

Vulnerability Management

We conduct regular dependency audits to identify and remediate known vulnerabilities in the software supply chain. Critical security patches are applied on an accelerated schedule. We review security advisories from our infrastructure and identity providers continuously.

Compliance Posture

Responsible Disclosure

We welcome responsible disclosure from security researchers. If you discover a potential vulnerability in Vela, please report it to security@usevela.io before making any public disclosure. We commit to:

• Acknowledging your report within 48 hours
• Providing a status update within 7 days
• Remediating confirmed critical vulnerabilities within 14 days
• Not pursuing legal action against researchers acting in good faith