Trust & security

Security we can stand behind.

Operational data matters. We use proven providers, org isolation, and honest practices — without pretending to be a Fortune 500 security program.

Encryption

TLS + at-rest

Hosting

Vercel + Supabase

Isolation

Per-org data

Audit

Sensitive actions

How we protect your data

Encryption

Data is encrypted in transit (TLS) and at rest via our database provider. Credentials are hashed — never stored in plaintext.

TLS in transit
Encrypted database connections
Hashed passwords
Secrets in environment config only

Infrastructure

Veyrra runs on managed cloud services (Vercel for the app, Supabase for Postgres and auth). We choose providers with solid security baselines rather than rolling our own servers.

Hosted Next.js on Vercel
Postgres via Supabase
Isolated environments per stage
No on-premise complexity for operators

Access controls

Each organization’s data is scoped in the database. Team roles limit who can change settings, finances, and security-sensitive actions.

Row-level security (RLS)
Org-scoped data
Role-based permissions
Audit log for sensitive actions

Authentication

Sign-in is handled by Supabase Auth — email/password and secure session tokens, with standard reset and verification flows.

Secure session tokens
Email verification
Password reset links
Session management in-app

Backups

Database backups are handled by our provider’s backup policies. We design so operational data can be recovered if something goes wrong.

Provider-managed backups
Point-in-time recovery (plan-dependent)
We test restores as we scale
Your export rights in privacy policy

Incident response

We are a small team — no 24/7 SOC. If we learn of a security issue affecting customers, we investigate promptly and communicate clearly.

Documented response steps
Notify affected users when required
Post-incident summary when relevant
security@veyrra.tech for reports

Development practices

Security is part of how we ship — not a slide deck add-on.

Dependency updates as part of regular shipping

Secrets only in environment variables — never in git

Least-privilege service keys

Org isolation in queries and RLS

Sensitive actions logged (integrations, roles, etc.)

CSP and security headers on the web app

Responsible disclosure

Found something? Report it to us. Good-faith researchers are welcome — we will acknowledge, investigate, and fix where needed.

We aim to respond within a few business days
We will keep you updated on progress
Public credit if you want it, once resolved
No legal action against good-faith reports

security@veyrra.techPGP key on request

How we protect your data

Encryption

Data is encrypted in transit (TLS) and at rest via our database provider. Credentials are hashed — never stored in plaintext.

TLS in transit
Encrypted database connections
Hashed passwords
Secrets in environment config only

Infrastructure

Veyrra runs on managed cloud services (Vercel for the app, Supabase for Postgres and auth). We choose providers with solid security baselines rather than rolling our own servers.

Hosted Next.js on Vercel
Postgres via Supabase
Isolated environments per stage
No on-premise complexity for operators

Access controls

Each organization’s data is scoped in the database. Team roles limit who can change settings, finances, and security-sensitive actions.

Row-level security (RLS)
Org-scoped data
Role-based permissions
Audit log for sensitive actions

Authentication

Sign-in is handled by Supabase Auth — email/password and secure session tokens, with standard reset and verification flows.

Secure session tokens
Email verification
Password reset links
Session management in-app

Backups

Database backups are handled by our provider’s backup policies. We design so operational data can be recovered if something goes wrong.

Provider-managed backups
Point-in-time recovery (plan-dependent)
We test restores as we scale
Your export rights in privacy policy

Incident response

We are a small team — no 24/7 SOC. If we learn of a security issue affecting customers, we investigate promptly and communicate clearly.

Documented response steps
Notify affected users when required
Post-incident summary when relevant
security@veyrra.tech for reports

Development practices

Security is part of how we ship — not a slide deck add-on.

Dependency updates as part of regular shipping

Secrets only in environment variables — never in git

Least-privilege service keys

Org isolation in queries and RLS

Sensitive actions logged (integrations, roles, etc.)

CSP and security headers on the web app

Responsible disclosure

Found something? Report it to us. Good-faith researchers are welcome — we will acknowledge, investigate, and fix where needed.

We aim to respond within a few business days

We will keep you updated on progress

Public credit if you want it, once resolved

No legal action against good-faith reports