Velaro Security and Privacy — Customer Guide

Velaro is built security-first. This guide covers what protects your data, your agents, and your customers' visitors.

---

Data Encryption

All conversations are encrypted in transit using TLS 1.3 and at rest using AES-256. No plaintext conversation data is ever stored. Encryption keys are rotated automatically.

Customer data is never sold, shared with advertisers, or used to train third-party AI models.

---

GDPR Compliance

Velaro is GDPR compliant by architecture, not just by policy:

No third-party tracking via fonts. Velaro self-hosts all fonts — no requests to Google Fonts or any external typography CDN. Visitor IP addresses are never sent to Google when your chat widget loads. This is compliant with German and EU court rulings on Google Fonts usage.

Data Processing Agreement (DPA). A signed DPA is available for all customers. Contact support@velaro.com to request it.

Sub-processor list. Velaro maintains a current list of all sub-processors (Azure, Twilio, etc.) updated monthly. Request it from your account manager or support.

Right to erasure. Data retention settings in Admin → Account → Data Retention allow you to configure automatic deletion schedules. Support can process individual erasure requests within 30 days.

Data residency. US data center by default. EU data center available for Enterprise plans. Contact sales to configure.

---

HIPAA

HIPAA-ready configuration is available on the Compliance Pro package ($800/mo). Velaro does not store PHI by default — the Compliance Pro package adds:

• BAA (Business Associate Agreement)
• Enhanced audit logging
• Automatic conversation data purging after configurable retention period
• SecureForms for collecting sensitive health information without Velaro storing raw values

---

SOC 2 Type II

Velaro is SOC 2 Type II certified. The report is available under NDA within 24 hours of a signed request. Contact your account manager or security@velaro.com.

---

PCI DSS

Velaro uses SecureForms for any payment card data collection. Form values flow directly to your webhook — Velaro never sees or stores raw card numbers. This satisfies PCI DSS SAQ-A scope.

---

Security Headers

The Velaro admin portal and API ship with security headers on every response:

• X-Frame-Options: DENY — prevents the admin portal from being embedded in an iframe (clickjacking protection)
• Strict-Transport-Security — forces HTTPS; max-age 1 year with subdomain inclusion
• Content-Security-Policy — restricts which domains scripts, fonts, and network calls can reach (enforced via Azure Front Door)
• Permissions-Policy — disables camera, microphone, and geolocation access
• X-Content-Type-Options: nosniff — prevents MIME-sniffing attacks
• Referrer-Policy: strict-origin-when-cross-origin — limits referrer data in cross-origin requests

---

No External CDN Dependencies

Velaro's admin portal loads zero scripts, fonts, or stylesheets from external CDNs at runtime. Everything is bundled and served from Velaro's own infrastructure (Azure Front Door + Blob Storage). This eliminates the supply chain risk of a CDN compromise affecting your agents.

---

Vulnerability Management

Dependabot: All npm and NuGet packages are scanned weekly against the CVE database. Critical vulnerabilities are patched within the SLA in your contract.

CodeQL: Static analysis runs on every code push, scanning JavaScript and C# for injection patterns, authentication bypasses, hardcoded secrets, and insecure API patterns.

WAF: Azure Front Door Web Application Firewall (OWASP ruleset) is active on all Velaro endpoints. Known exploit patterns, SQL injection attempts, and XSS payloads are blocked before reaching the application.

---

Authentication

Microsoft Entra (Azure AD) SSO. Agents authenticate via Microsoft Entra ID. Sessions use short-lived JWT tokens with automatic refresh. No passwords stored by Velaro.

SAML 2.0 / OIDC. Enterprise SSO integration available with Okta, Azure AD, Google Workspace, and any SAML 2.0-compatible identity provider.

SCIM provisioning. Automate agent user management via SCIM 2.0 — users provisioned and deprovisioned from your identity provider automatically.

---

Secure Forms

For any sensitive data collection (payment cards, SSN, medical information, insurance IDs), Velaro SecureForms keeps raw values entirely out of Velaro's systems. Form submissions go directly to your configured webhook. Velaro stores only a receipt: conversationId + formId + submittedAt.

Agents never see the raw values. Conversation transcripts show only a placeholder.

---

AI Safety

Moshky and all AI features run under S1–S6 safety rules enforced server-side:

• No data cross-contamination between customers
• Prompt injection attempts are blocked
• AI responses cannot access data outside the current conversation context
• System prompts cannot be overridden by user input

---

Reporting a Security Issue

Email security@velaro.com. Response within 24 hours. Critical vulnerabilities patched within the SLA in your contract (typically 24–72 hours for critical, 30 days for high).

Velaro maintains a vulnerability disclosure program. We do not pursue legal action against good-faith security researchers.