Honest about what we do, and what we don’t.
Vela is an early-stage product. We don’t yet hold SOC 2 or ISO 27001 certification — but we do follow established practices, choose reputable infrastructure providers, and publish exactly what we run so you can make your own call.
What protects your workspace
Six concrete practices that back up our platform each day.
Infrastructure
Application hosting on Vercel with continuous deployment and automatic rollback on failure. No customer data is stored at the edge — only public marketing pages are cached there.
Data residency
Primary database and storage on Supabase (AWS ap-southeast-2, Sydney). Workspace assets, generated media, and account records stay in Australia.
Encryption
TLS 1.2+ for all traffic in transit. Workspace data encrypted at rest with AES-256 in Supabase. Passwords hashed with bcrypt (cost factor 12).
Access control
Row Level Security on every Supabase table — the database enforces tenant isolation, not just the application layer. OAuth tokens for connected platforms stored encrypted and refreshable.
Network protection
Rate limiting on authentication, publishing, and webhook endpoints. DDoS protection via Vercel's edge. Suspicious activity triggers automatic throttling.
Observability
Centralised error tracking, structured logging, and uptime monitoring. Security anomalies reviewed by the engineering team within one business day.
Our standing commitments
These don’t change between plans, between customers, or between quarters.
No AI training on customer content
Workspace content is never used to train, fine-tune, or improve models. We configure our generative AI providers to disable data-use-for-training wherever that control exists.
Minimal data collection
We collect only what we need to deliver the service. OAuth tokens request the narrowest scopes possible. We never ask for follower lists or messages from connected platforms.
People access with audit
Engineers can access production infrastructure for support purposes only. Access requires multi-factor authentication, is logged, and is reviewed quarterly.
Vendor governance
Each subprocessor (Supabase, Vercel, Resend, Google, Meta) is reviewed annually for security posture. Vendor compliance documentation is available on request.
Incident response
Documented incident response plan with on-call rotation. If customer data is involved in a confirmed breach, we notify affected customers within 72 hours as required under the Notifiable Data Breaches scheme.
Backups & recovery
Daily encrypted database backups retained for 30 days, restorable from a snapshot if needed. Workspace assets on Supabase Storage replicated within the same region.
Responsible disclosure
If you find something we missed, we’d rather hear from you than read about it elsewhere.
In scope
Authentication bypass, cross-tenant data exposure, privilege escalation, published-content integrity issues, and any vulnerability that could affect customer data or accounts.
How to report
Email security@vela-demo.io with reproduction steps and impact. Encrypted reporting via PGP available on request for high-sensitivity disclosures.
Our commitment
Acknowledgement within two business days, status updates at least weekly, and a public acknowledgement with credit (if you want it) once the fix ships.
Want the technical details?
If you’re a security reviewer or running a procurement process, email us and we’ll send the architecture summary, subprocessor list, and current controls.
security@vela-demo.io