Enterprise Security

Built for Enterprise.
Audited. Redundant. Yours to inspect.

Velaro is engineered from the ground up for organizations where security is non-negotiable. Azure-hosted, SOC 2 Type II audit active, AES-256 at rest, TLS 1.3 in transit, and a controls environment your InfoSec team can actually review.

SOC 2 Type II
Audit active — report under NDA
HIPAA Ready
BAA on Enterprise Plus contracts
PCI DSS Level 1
Secure Form module certified
Azure-Native
AES-256 · TLS 1.3 · Key Vault
GDPR & CCPA
EU data residency · DPA available
Zero Data Selling
No data sold, shared, or monetized
Request Security Review View SOC 2 Details

Compliance

SOC 2 Type II - Audit In Progress

We've completed controls mapping and evidence collection. Our Type II audit period is active. The report is available to enterprise customers and qualified prospects under NDA upon request.

Audit Period Active

We've completed the controls mapping and evidence collection phase. Type I controls have been validated. Our Type II observation period is currently active and ongoing.

The full SOC 2 Type II report will be available to enterprise customers and qualified prospects. We share it under NDA - submit a request and our security team will respond within one business day.

To request the report or a security Q&A session, email security@velaro.com with your organization name and use case.

Azure migration strengthened our control environment. Our 2025 migration to Microsoft Azure significantly enhanced our SOC 2 posture - including native network segmentation, Azure Key Vault for secrets management, centralized audit log completeness, and geo-redundant storage controls that exceed standard SOC 2 requirements.

Trust Services Criteria Covered

Security (CC)

System protected against unauthorized access, both physical and logical. Covers firewalls, WAF, MFA enforcement, and RBAC controls.

Availability (A)

System available for operation as committed. Covers SLA monitoring, incident response, and active-active regional failover architecture.

Confidentiality (C)

Information designated as confidential is protected. Covers tenant isolation, data classification, encryption at rest and in transit.

Processing Integrity (PI)

System processing is complete, valid, accurate, and timely. Covers input validation, audit trails, and error handling controls.

Infrastructure

Azure-Hosted. Multi-Region. Redundant by Default.

Velaro runs entirely on Microsoft Azure, leveraging the same infrastructure trusted by 95% of Fortune 500 companies. Our architecture is designed for zero single points of failure.

Simplified Architecture - Public Reference Document - Not All Components Shown
End Users
Web / Mobile
Agents & Customers
HTTPS / TLS 1.3
Edge / CDN
Azure Front Door
Global CDN + WAF + DDoS Protection
Routed to primary region (failover to secondary)
App Tier
App Services
Auto-scaling
API Gateway
Rate limiting
Service Bus
Async messaging
Internal VNet - Private endpoints only
Data Tier
Azure SQL
Geo-replication
Redis Cache
Session / hot data
Blob Storage
AES-256 encrypted
Key retrieval via private endpoint
Security
Azure Key Vault
Secrets & BYOK
Azure AD / Entra
Identity & SSO
Audit Log Store
Immutable, 7yr
Regions
Primary
East US
Active
Failover
West US
Hot standby
GDPR
EU West
Frankfurt
CDN / Edge
Application
Data
Security & Identity
Region
99.9%
Uptime SLA
Enterprise plan. Active-active regional failover. Measured monthly, excluding scheduled maintenance.
3
Azure Regions
East US primary, West US failover, EU West for GDPR data residency. Additional regions on qualifying plans.
<60s
Failover RTO
Azure Front Door routes traffic to standby region automatically. No manual intervention required.

Encryption

Encrypted Everywhere. At Every Layer.

Every byte of your data is protected in transit and at rest. We use industry-standard encryption algorithms and allow enterprise customers to manage their own keys.

Encryption in Transit

All connections to and within Velaro are encrypted. No exceptions.

  • TLS 1.2 minimum enforced across all endpoints
  • TLS 1.3 preferred - negotiated automatically for supporting clients
  • HSTS enforced - browsers cache HTTPS-only policy
  • Azure Front Door WAF terminates TLS at the edge
  • Internal service-to-service traffic encrypted via private VNet
  • TLS 1.0 and 1.1 are disabled on all surfaces

Encryption at Rest

All stored data is encrypted. Chat transcripts are tenant-isolated and encrypted at the row level.

  • AES-256 for all data at rest across Azure SQL, Blob, and Redis
  • Azure-managed keys by default - fully managed key rotation
  • BYOK (Bring Your Own Key) available on Enterprise plans via Azure Key Vault
  • Chat transcripts encrypted at rest, tenant-isolated, never co-mingled
  • Passwords are never stored - bcrypt-hashed tokens only
  • Backup encryption matches primary storage standards

Access Controls

Least-Privilege Access. Full Audit Trail.

Enterprise identity integration, fine-grained roles, MFA enforcement, and complete audit logging of every administrative action.

Identity & Authentication

Connect your identity provider. Enforce your policies.

  • SSO via SAML 2.0 - Okta, Azure AD, Google Workspace, Ping, and others
  • OIDC support for modern identity providers
  • SCIM provisioning for automated user lifecycle management
  • MFA enforced for all admin accounts - cannot be disabled
  • MFA enforced for all users on Enterprise plans (configurable)
  • IP allowlisting available as Enterprise add-on
  • Session timeout policies configurable per role

Roles & Audit Logging

Granular roles with a complete, tamper-evident log of every action.

  • Admin - full system configuration access
  • Supervisor - team management, reporting, queue oversight
  • Agent - conversation handling only
  • Analyst - read-only reporting and analytics
  • Read-Only - view without modification rights
  • Every admin action logged: user, timestamp, IP address, change detail
  • Audit logs are immutable and retained per your data retention policy

Certifications & Compliance

The Certifications Enterprise Procurement Requires

We support the compliance frameworks that matter to regulated industries. Documentation and BAAs are available to qualifying customers.

SOC 2 Type II
Audit Active

Type I controls validated. Type II audit period active. Report available under NDA to enterprise customers and prospects.

HIPAA Ready
Enterprise Plus

Business Associate Agreement included on Enterprise Plus contracts. Enhanced audit logging, extended retention, and HIPAA-specific controls configuration.

PCI DSS Level 1
Service Provider

Velaro's Secure Form module routes card capture through PCI-DSS Level 1 validated processors (Stripe Elements and other certified injectors). Cardholder data is tokenized at the processor and never enters Velaro's platform. SAQ-A self-assessment in progress.

GDPR
Compliant

EU data residency in Azure EU West (Frankfurt). Data Processing Agreements available. GDPR Article 17 deletion requests honored within 30 days.

CCPA
Compliant

California Consumer Privacy Act compliance. Consumer data requests honored. Data subject rights (access, deletion, portability) supported natively.

Azure Security Baseline
Implemented

Full Microsoft Azure Security Benchmark implementation. Continuous compliance posture monitoring via Microsoft Defender for Cloud.

Data Handling

Your Data is Yours. Always.

We never sell, share, or monetize your data. Every customer's data is fully isolated and exportable at any time.

Topic Our Policy
Tenant Isolation Each customer's data is completely isolated at the database and storage layer. No data co-mingling. Tenant ID is enforced at every API endpoint.
Data Retention Configurable from 30 days to 7 years. Default is 12 months. Enterprise customers can set custom retention policies per data category (transcripts, recordings, contact records).
Right to Deletion GDPR Article 17 compliant. Submit a data purge request via your account portal or to privacy@velaro.com. Full purge completed within 30 days of verified request.
Data Exports Full data export available at any time through the admin console. Includes all transcripts, contact records, and configuration. Exports delivered as structured JSON or CSV within 24 hours of request.
Data on Cancellation You have 30 days post-cancellation to export your data. After the export window closes, all data is permanently purged from production systems, backups, and disaster recovery stores.
Do We Sell Your Data? No. We do not sell, license, or share your data with third parties for advertising or any commercial purpose. Full stop.

Sub-Processors

The following third-party services process data on our behalf as data processors. None are data controllers of your customer data.

Microsoft Azure

Cloud infrastructure

Twilio

SMS / voice channels

SendGrid

Transactional email

ElevenLabs

Voice synthesis (IVR)

OpenAI

AI features (opt-in)

Vulnerability Management

Proactive Security. Rapid Response.

We operate a responsible disclosure program, scan dependencies continuously, and patch critical vulnerabilities within 72 hours.

🔐

Responsible Disclosure

Found a vulnerability? We want to know. Email security@velaro.com with details. We acknowledge all reports within 24 hours and commit to transparent communication throughout remediation. We do not pursue legal action against good-faith researchers.

Patch SLA

Critical CVEs (CVSS 9.0+) are patched and deployed within 72 hours of confirmed impact assessment. High severity (7.0–8.9) within 7 days. Medium and below are addressed in our regular release cycle. Security patches are never delayed for feature releases.

🔍

Dependency Scanning

All third-party dependencies are scanned on every CI/CD pipeline run using automated SAST and SCA tooling. Builds with known critical vulnerabilities in dependencies are blocked from deployment. Annual penetration testing is conducted by an independent third-party firm.

Security FAQ

Questions We Hear from InfoSec Teams

Answers to the questions that come up in every enterprise security review.

No. Velaro does not sell, license, share, or monetize customer data in any form. Your data - including all conversations, contact records, and usage data - is used exclusively to provide you the Velaro service. We do not use it to train AI models without explicit opt-in, and we do not provide it to third parties for advertising or analytics purposes.
By default, data is stored in the United States on Azure East US (primary) with replication to Azure West US. For GDPR compliance or data sovereignty requirements, EU data residency is available on qualifying plans - data is stored in Azure EU West (Frankfurt, Germany). Additional regions are available for enterprise customers with specific residency requirements. Contact your account manager to configure data residency before your account goes live.
Yes. Velaro provides a Business Associate Agreement (BAA) as part of our HIPAA compliance package, included with Enterprise Plus contracts. The package covers the BAA, enhanced audit logging, extended data retention, dedicated compliance review, and HIPAA-specific controls configuration. BAAs require an executed Enterprise Plus agreement — they are not available on self-service or standard plans. Contact sales@velaro.com to discuss Enterprise Plus terms.
Yes. Enterprise prospects are welcome to conduct security due diligence. We provide the SOC 2 Type II report under NDA, CAIQ questionnaire responses, annual penetration test summary findings, and architecture documentation. A live security Q&A session with our engineering team is available for qualifying enterprise prospects. Vendor security questionnaires in SIG format are scoped as part of an enterprise agreement — they require a signed contract and are not fulfilled on an ad-hoc or pre-sales basis. Email security@velaro.com with your organization name and use case to begin.
Upon cancellation, you have a 30-day window to export all your data through the admin console. Exports include full conversation transcripts, contact records, team configuration, and analytics data in structured format. After the 30-day window, all data - including backups and disaster recovery copies - is permanently purged. You will receive a written deletion confirmation upon request.
Yes. Velaro undergoes annual penetration testing conducted by an independent third-party security firm. The scope covers our production web application, API endpoints, authentication flows, and infrastructure configuration. Summary findings and remediation evidence are available to enterprise customers under NDA as part of the security review package. We also conduct internal red team exercises on a quarterly basis.

Get the documentation your InfoSec team needs.

Enterprise buyers get the full package: SOC 2 report, security Q&A, pen test summary, and dedicated InfoSec support.

Request Security Documentation security@velaro.com