Built to be
quietly defensible.
Velorium is built around the assumption that the people inside it are making large, private decisions. The security posture is downstream of that.
- Encryption
TLS 1.3 in transit. AES-256 at rest. Journal entries are end-to-end encrypted with keys held by you; we cannot read them.
- Authentication
Passkey-first sign-in. Hardware key (WebAuthn) supported and encouraged for member accounts. Account recovery via verified secondary channel.
- Infrastructure
Hosted on Vercel and AWS in regions selected by member preference (EU, UK, UAE, SG). SOC 2 Type II audit in progress; report available under NDA on request.
- Model providers
Compass routes through enterprise model APIs with zero-data-retention agreements. Member content is not used for model training by us or our providers.
- Disclosure
We accept responsible disclosure at security@velorium.com. PGP key on request. We acknowledge reports within forty-eight hours, scope and triage within five business days, and credit researchers in our changelog.