Security

Security is foundational to VelorQ, not an add-on. The VelorQ platform is designed from the ground up for regulated industries — which means tenant isolation, audit logging, and compliance alignment are architectural, not policy-driven. This page summarises our security posture.

1. Architecture

1.1 Tenant isolation

Tenant data is isolated at the schema level — not merely via access-control policies that can be misconfigured. Each tenant receives a dedicated vector store namespace, a dedicated fine-tuning boundary, and a dedicated audit trail. Cross-tenant data leakage is architecturally prevented.

1.2 Knowledge Communication Layer (KCL)

Every inter-model exchange across the VelorQ hub passes through KCL protocol stages — classify, validate, anonymise, consent-check, route, and audit-log. Non-classified signals can flow between models; tenant-identifying data does not.

1.3 Network & infrastructure

The platform supports multi-region active architecture with automated failover and tenant-isolated recovery paths. Enterprise deployments also support dedicated VPC and private-cloud hosting where required.

2. Data protection

• Encryption in transit: TLS 1.2+ for all data exchanged with the Services.
• Encryption at rest: industry-standard encryption for data stored on our platform.
• Key management: keys are rotated regularly; customer-managed keys (BYOK) are available for enterprise plans.
• Minimum-necessary principle: we collect and process only what is required to deliver the Services.

3. Compliance & framework alignment

VelorQ's architecture is designed to align with the following frameworks. Certifications are pursued in sequence as deployment footprints require:

• SOC 2 Type II — trust services criteria for security, availability, and confidentiality.
• HIPAA — for healthcare deployments (SAGE, NOVA, ClinicBeyond).
• GDPR — for customers and data subjects in the European Economic Area.
• PCI-DSS — for finance deployments handling cardholder data (VYDE).
• ISO 27001 — information security management.
• India DPDP — compliance with India's Digital Personal Data Protection Act.

4. Access control

Internal access to production systems is governed by least privilege, multi-factor authentication, and regular access reviews. Administrative actions on production are logged and auditable. Customer-side access to the platform supports SSO (SAML 2.0 / OIDC), role-based access control, and session policies.

5. Audit logging

Every model exchange routed through KCL is audit-logged with immutable records including timestamp, classification, tenant identifier, and routing decision. Audit logs are retained per the applicable commercial agreement and can be exported to customer SIEM systems where contractually agreed.

6. Secure development

• Source-code review and CI-integrated static analysis before production release.
• Dependency vulnerability scanning and patch management.
• Model release gates on isolation checks — no release promotes to production without passing cross-tenant separation tests.
• Security review for architectural changes that touch the KCL protocol or tenant boundary.

7. Incident response

VelorQ maintains documented incident-response procedures covering detection, containment, remediation, communication, and post-incident review. Customer notifications for material security incidents follow the timelines specified in the applicable DPA and applicable law.

8. Responsible disclosure

We welcome responsible reports of security vulnerabilities. If you believe you have discovered a security issue affecting VelorQ, please contact us at hello@velorq.ai with the subject "Security Disclosure". We request that researchers:

• Avoid accessing, modifying, or destroying data that is not your own.
• Do not perform attacks that could degrade service for others (e.g. denial-of-service).
• Give us reasonable time to investigate and remediate before public disclosure.

We will acknowledge receipt within two business days and work in good faith to resolve valid reports.

9. Sub-processors

We engage a small set of vetted sub-processors — primarily for cloud infrastructure, email, and operational tooling. A current list is available to customers under NDA. Material changes to the sub-processor list are communicated to customers in advance in accordance with the applicable DPA.

10. Documentation

Enterprise customers and serious prospects can request a security package including architecture overview, DPA template, sub-processor list, and current compliance attestations. Email hello@velorq.ai with subject "Security Documentation".