Security at Velosyti
Your code and data are our most important responsibility. We employ defense-in-depth security practices across every layer of the platform.
How we protect your data
Encryption Everywhere
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections use SSL with certificate verification. Secrets are stored in AWS Secrets Manager, never in code or environment files.
Infrastructure Isolation
Each deployed application runs in an isolated AWS environment with its own security group, VPC subnet, and IAM role. Applications cannot access each other's resources, databases, or file systems.
Authentication & Access
Passwords are hashed using bcrypt (work factor 12). OAuth integration supports Google and GitHub. Sessions use short-lived JWT tokens with secure httpOnly cookies. Role-based access control protects team resources.
Generated Code Security
AI-generated code follows OWASP Top 10 best practices. Every template includes input sanitization, CSRF protection, parameterized queries, and proper error handling. Code is generated within strict template boundaries.
Data Protection
User databases are provisioned with unique credentials per project. Automated daily backups with 30-day retention. Point-in-time recovery available. Database access is restricted to the application layer via VPC.
Network Security
All deployed applications sit behind AWS CloudFront CDN with DDoS protection. WAF rules filter common attack patterns. Rate limiting is applied to all API endpoints. IP-based access controls available on Business plans.
Our security practices
Secure Development Lifecycle
- All code changes go through mandatory code review
- Automated dependency scanning via Dependabot
- Static analysis and linting enforced in CI/CD
- No secrets in source control — pre-commit hooks prevent accidental exposure
- Regular security-focused code audits
Monitoring & Incident Response
- Real-time alerting on anomalous activity patterns
- Centralized logging with 90-day retention
- Automated threat detection for brute-force and credential stuffing
- 24-hour incident response SLA for critical vulnerabilities
- Post-incident review process with public transparency reports
Compliance & Standards
- SOC 2 Type II audit in progress
- GDPR-compliant data handling for EU users
- CCPA-compliant for California residents
- AWS infrastructure meets ISO 27001, SOC 1/2/3, and PCI DSS standards
- Regular third-party penetration testing
Found a vulnerability?
We take security reports seriously. If you discover a vulnerability, please report it responsibly through our disclosure process.
Report the vulnerability
Email security@velosyti.com with a detailed description of the vulnerability, steps to reproduce, and any relevant screenshots or proof-of-concept code.
We acknowledge receipt
We will acknowledge your report within 24 hours and provide a tracking reference. Our security team will begin investigating immediately.
We investigate and fix
We aim to confirm and remediate valid vulnerabilities within 7 days for critical issues and 30 days for lower severity. We will keep you updated on progress.
We credit your contribution
With your permission, we will publicly credit you in our security acknowledgments. We offer bounties for qualifying vulnerabilities — see our bug bounty policy.
Security FAQ
Can Velosyti employees access my code?
Access to user data is strictly limited to a small number of authorized personnel who require it for infrastructure maintenance. All access is logged and audited. We never read your code except when explicitly requested for support purposes, with your written consent.
Is my AI conversation data used for training?
We do not train AI models on individual user conversations. Aggregated, anonymized data may be used to improve generation quality. You can opt out entirely from any data contribution in your account settings.
What happens to my data if I delete my account?
All personal data, project files, and deployed applications are permanently deleted within 30 days of account deletion. Backups are purged within 90 days. Anonymized, aggregated analytics data may be retained.
Do you offer SOC 2 compliance reports?
We are currently undergoing SOC 2 Type II certification. Enterprise customers can request our latest security documentation and compliance reports by contacting security@velosyti.com.