Security at Veto

Infrastructure

• Web surfaces: Cloudflare Workers for the marketing app, auth service, and docs.
• API and gateway: Managed service infrastructure for api.veto.so, with Cloudflare at the edge.
• Data layer: Convex for managed organizations, projects, policies, approvals, and decision records.
• DNS and edge: Cloudflare for DNS, TLS termination, and edge protection.
• Secret management: Platform secret stores for production credentials and application-managed encryption keys.

Deployment model

• The open-source SDK can evaluate policy in-process, so enforcement can stay inside the application path instead of requiring every action to leave your environment.
• Managed cloud customers send only the policy, tool-call, review, and decision-record data required to deliver the service.
• Enterprise deployments can keep enforcement and evidence in customer-owned cloud or on-prem environments, with deployment scope defined during security review.

Encryption

• In transit: Production service endpoints require HTTPS/TLS. Plaintext public endpoints are not accepted.
• At rest: All database storage and backups encrypted using provider-managed keys. Sensitive customer configuration (MCP upstream headers) additionally encrypted at the application layer before storage.
• API keys: Stored as one-way hashes. Full key value is shown once at creation and never stored or retrievable.

Authentication and Access Control

• Customer auth: JWT-based with 30-day session expiry. Email/password with verification, plus GitHub and Google OAuth. Session tokens are scoped to the issuing auth service.
• API auth: Project-scoped API keys with bearer token authentication. Keys are hashed at rest and can be regenerated at any time.
• Multi-tenancy: Organization and project isolation is enforced at the database and API layers. Project and organization scoping enforces tenant boundaries to prevent cross-tenant data access.
• Internal access: Principle of least privilege. Production infrastructure access limited to essential personnel with named accounts.

Application Security

• Schema validation on API request payloads where structured input is accepted
• Rate limiting and abuse controls at the API gateway layer
• Structured logging with PII filtering in production logs
• CORS and standard security headers configured where applicable
• Dependency review as part of release and security review
• Error handling that avoids customer-data exposure in messages and debug output

Data Handling

• Customer Data (tool-call payloads, policies, decision records) is processed only to deliver the Services. We do not use it to train models.
• Decision-record query and export retention is tiered: 90 days (Core), 365 days (Growth), 2 years (Scale), enterprise-configurable.
• On account termination, Customer Data is available for export for 30 days, then deleted from production within 90 days and backups within 180 days.
• Analytics data (PostHog) is collected only with explicit cookie consent and configured with aggressive PII masking.

Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a data breach affecting customer data:

• Affected customers are notified without undue delay after confirmation, within applicable legal and contractual timelines
• Notification includes nature, scope, likely impact, and remediation steps
• Post-incident review and corrective actions are documented

Assurance posture

Responsible Disclosure

If you discover a security vulnerability in Veto, please report it responsibly:

• Email team@veto.so with details of the vulnerability
• Include steps to reproduce, affected endpoints, and potential impact
• We acknowledge the report within 24 hours and provide an initial assessment within 5 business days
• Do not publicly disclose the vulnerability until we have had reasonable time to address it

Questions

For security questionnaires, vendor assessments, or compliance questions, contact team@veto.so. We reply within 24 hours.