Veritrellis

Security Measures

Last updated: 2026-05-19 Effective date: 2026-05-19

Security Measures

1. Introduction

This document describes the technical and organizational measures Veritrellis uses or intends to use to protect the service and Customer Content.

Security measures may evolve as the product matures. Some controls may depend on plan level, environment, integration, or customer configuration.

2. Governance

Veritrellis maintains security ownership for infrastructure, application development, access control, operational monitoring, and incident response.

Security contact: security@veritrellis.ai.

3. Access control

Measures include or are intended to include:

  1. role-based access control for customer workspaces;
  2. least-privilege access for internal administrative systems;
  3. separation between customer-facing app and internal ops console;
  4. authentication via WorkOS or configured identity provider;
  5. secure session management;
  6. API key controls;
  7. access review processes as the team grows; and
  8. revocation of access when no longer required.

4. Environment separation

Veritrellis supports sandbox and production environments. Customers are responsible for using the correct environment and preventing sandbox artifacts from authorizing production actions.

Veritrellis may implement technical separation between environments, including separate keys, identifiers, configuration, and permit verification metadata.

5. Encryption

Measures include or are intended to include:

  1. TLS for data in transit;
  2. encryption at rest where supported by infrastructure providers;
  3. secure storage of secrets and credentials;
  4. hashed or protected token material where appropriate;
  5. signed permit tokens; and
  6. JWKS-based verification for signed permits where applicable.

6. Logging and monitoring

Veritrellis may maintain logs for security, auditability, debugging, and service operation, including authentication events, API events, policy evaluation events, permit events, approval events, and system errors.

Monitoring may include Uptime Kuma or similar tools. Additional monitoring, analytics, or error-reporting tools may be added later and disclosed where required.

7. Secure development

Measures include or are intended to include:

  1. source-control access restrictions;
  2. code review for material changes;
  3. dependency management;
  4. secrets management;
  5. secure API design;
  6. schema validation for action requests;
  7. permit-signing and verification controls;
  8. testing of critical authorization flows; and
  9. documentation for SDK/API usage.

8. Backups and resilience

Veritrellis may maintain backups of relevant systems and databases. Backup retention depends on infrastructure configuration and the Data Retention Policy.

Backups are intended for disaster recovery and operational continuity, not customer-directed archival.

9. Incident response

If Veritrellis becomes aware of a security incident affecting Customer Content, it will investigate, take reasonable containment and remediation steps, and notify affected customers where required by law or contract.

10. Customer security responsibilities

Customers are responsible for:

  1. secure configuration of policies and approval flows;
  2. verifying permits before executing downstream actions;
  3. securing API keys and credentials;
  4. configuring identity providers securely;
  5. managing user access and offboarding;
  6. preventing misuse by agents and automations;
  7. monitoring downstream systems;
  8. submitting only necessary data; and
  9. maintaining their own incident response processes.