Our commitment: As a compliance infrastructure company, security is foundational to everything we build. We hold ourselves to the same standards we help our customers meet.
Encryption everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Cryptographic keys are managed through dedicated hardware security modules.
Privacy by design
PII is detected and redacted client-side before any data reaches our infrastructure. We never store plaintext personal information.
Open verification
Our verification tools are open-source and MIT-licensed. You can independently verify every receipt without relying on Veratum infrastructure.
Infrastructure isolation
Customer data is logically isolated. Enterprise customers can deploy in their own VPC or on-premises, with no data leaving their environment.
Data handling
Veratum processes AI decision metadata — not the raw inputs or outputs of your AI systems. Our receipt system captures cryptographic hashes and compliance metadata while keeping sensitive content within your infrastructure.
- Append-only storage: Audit trail data is stored in immutable, append-only logs that cannot be modified or deleted (except through GDPR erasure processes using per-subject encryption keys).
- Data residency: Data is processed and stored in the region you select. We support US and EU regions, with additional regions available for Enterprise customers.
- Retention: Data retention periods are configurable per plan and per regulatory requirement. When retention expires, data is securely and irreversibly destroyed.
Access control
- Authentication: All API access requires cryptographically signed API keys. Dashboard access supports SSO/SAML on Team and Enterprise plans.
- Least privilege: Internal access to production systems follows strict least-privilege principles with mandatory multi-factor authentication.
- Audit logging: All access to customer data is logged and monitored. We practice what we preach.
Incident response
We maintain a documented incident response plan and will notify affected customers within 72 hours of confirming a security incident involving their data, consistent with GDPR Article 33 notification requirements.
Responsible disclosure
If you discover a security vulnerability, please report it to security@veratum.ai. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 5 business days. We do not pursue legal action against researchers acting in good faith.
Compliance & certifications
We are actively pursuing the following certifications and compliance frameworks:
- SOC 2 Type I — In progress
- GDPR — Compliant; DPA available for Enterprise customers
- EU AI Act — Our product is specifically designed to help customers meet Article 12 requirements
Questions?
For security inquiries, concerns, or to request our security documentation, contact us at security@veratum.ai.