Security at Veto

Infrastructure

• Cloud provider: Google Cloud Platform (GCP), us-central1 region
• Compute: Cloud Run (managed, auto-scaling, sandboxed containers)
• Database: Convex (managed, with automatic backups and point-in-time recovery)
• DNS and edge: Cloudflare (DDoS protection, DNS management)
• Secret management: GCP Secret Manager for all production credentials and encryption keys

Encryption

• In transit: TLS 1.2+ enforced on all service endpoints. HSTS enabled. No plaintext connections accepted.
• At rest: All database storage and backups encrypted using provider-managed keys. Sensitive customer configuration (MCP upstream headers) additionally encrypted at the application layer before storage.
• API keys: Stored as one-way hashes. Full key value is shown once at creation and never stored or retrievable.

Authentication and Access Control

• Customer auth: JWT-based with 30-day session expiry. Email/password with verification, plus GitHub and Google OAuth. Session tokens are scoped to the issuing auth service.
• API auth: Project-scoped API keys with bearer token authentication. Keys are hashed at rest and can be regenerated at any time.
• Multi-tenancy: Organization and project isolation enforced at the database and API layers. Cross-tenant data access is architecturally prevented.
• Internal access: Principle of least privilege. Production infrastructure access limited to essential personnel with named accounts.

Application Security

• Input validation with Zod schemas on all API endpoints
• Rate limiting and abuse controls at the API gateway layer
• Structured logging with PII filtering in production logs
• CORS, CSP, and standard security headers configured
• Dependency vulnerability scanning in CI/CD pipeline
• No customer data in error messages or debug output

Data Handling

• Customer Data (tool-call payloads, policies, decisions) is processed only to deliver the Services. We do not use it to train models.
• Decision log retention is tiered: 7 days (Free), 30 days (Team), 90 days (Business), enterprise-configurable. Data is purged after retention expires.
• On account termination, Customer Data is available for export for 30 days, then deleted from production within 90 days and backups within 180 days.
• Analytics data (PostHog) is collected only with explicit cookie consent and configured with aggressive PII masking.

Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a data breach affecting customer data:

• Affected customers are notified within 72 hours of confirmed breach (per GDPR Article 33)
• Notification includes nature, scope, likely impact, and remediation steps
• Post-incident review and corrective actions are documented

Compliance Roadmap

Responsible Disclosure

If you discover a security vulnerability in Veto, please report it responsibly:

• Email security@veto.so with details of the vulnerability
• Include steps to reproduce, affected endpoints, and potential impact
• We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days
• Do not publicly disclose the vulnerability until we have had reasonable time to address it

Questions

For security questionnaires, vendor assessments, or compliance questions, contact security@veto.so.