Security Policy
Last Updated: 2025-11-23
Overview
Section titled “Overview”At Vekora, security is a foundational component of our platform. This policy outlines the technical and organizational measures we implement to protect our infrastructure, your data, and the reliability of our services. This document focuses on our internal security posture. For details regarding data rights, legal usage, or uptime guarantees, please refer to the specific documents linked below.
Shared Responsibility Model
Section titled “Shared Responsibility Model”As a Platform as a Service (PaaS) provider, security is a shared responsibility:
- Our Responsibility: Security of the cloud. We protect the infrastructure, runtime environments, physical hardware, and networking layers.
- Your Responsibility: Security in the cloud. You are responsible for the security of the code you deploy, your application dependencies, and the management of your account credentials.
- For prohibited actions, please refer to our Acceptable Use Policy.
Infrastructure Security
Section titled “Infrastructure Security”- Cloud Providers: Our infrastructure is hosted on top-tier cloud providers that maintain industry-standard certifications including SOC 2 Type II and ISO 27001.
- Network Protection: We utilize virtual private clouds (VPCs), firewalls, and intrusion detection systems to isolate and protect production environments.
- DDoS Mitigation: We deploy automated mitigation strategies to protect against Distributed Denial of Service (DDoS) attacks at the network and application layers.
Data Security
Section titled “Data Security”- Encryption in Transit: All data transmitted between your users and our platform is encrypted using strong protocols (TLS 1.2 or higher).
- Encryption at Rest: User data, including databases and file storage, is encrypted at rest using AES-256 encryption standards.
- Backups: We perform automated, regular backups of persistent data stores to ensure business continuity.
- For details on data processing specifics and GDPR compliance, please refer to our Data Processing Agreement and Privacy Policy.
Application Security
Section titled “Application Security”- Secure Development: Security is integrated into our Software Development Life Cycle (SDLC). All code changes undergo peer review and automated static analysis before deployment.
- Authentication: We support Multi-Factor Authentication (MFA) and enforce strong password policies. We do not store plain-text passwords.
- Separation of Environments: Development, staging, and production environments are strictly separated. Customer data is never used in non-production environments.
Operational Security
Section titled “Operational Security”- Least Privilege: Access to production infrastructure is restricted to a limited number of authorized engineering personnel based on the principle of least privilege.
- Device Security: All employee workstations are managed with disk encryption, automatic updates, and endpoint protection.
- Vendor Management: We strictly vet third-party vendors for security compliance.
- A full list of third-party vendors can be found in our Subprocessor List.
Incident Management
Section titled “Incident Management”We maintain a dedicated incident response plan. In the event of a security breach or service disruption, we have procedures in place to identify, contain, and mitigate the issue.
- Uptime guarantees and outage credit details are defined in our Service Level Agreement (SLA).
Vulnerability Reporting
Section titled “Vulnerability Reporting”We welcome reports from security researchers and the community regarding vulnerabilities in our platform.
- Please do not disclose vulnerabilities publicly. Refer to our Bug Bounty Policy for reporting guidelines, safe harbor provisions, and reward structures.
Contact
Section titled “Contact”If you have specific security questions not covered by this policy or the associated documents (ToS, DPA, etc.), please contact our security team at [email protected].