Security

1. Overview

Veklom is committed to maintaining the security and integrity of our platform. This document outlines our security practices, vulnerability disclosure program, and how we protect your data and infrastructure.

2. Security Architecture

Transport Layer Security: All connections to Veklom services use TLS 1.3 with strong cipher suites. Our certificates are automatically managed and renewed.

Encryption at Rest: Data is encrypted using AES-256-GCM for all persistent storage, including databases and object storage.

Bring Your Own Key (BYOK): When you use BYOK features, your credentials are processed in-memory only during the active Governed Execution session. Credentials are never logged, persisted to disk, or transmitted to any party other than the intended provider endpoint.

Audit Logging: All administrative actions and governance events are logged with tamper-evident cryptographic signatures. Logs are retained according to your subscription tier.

3. Access Control

Authentication: We support OAuth 2.0 / OpenID Connect for authentication. Multi-factor authentication (MFA) is available and recommended for all accounts.

Authorization: Role-based access control (RBAC) governs all access to resources. Permissions are granted on a least-privilege basis.

Session Management: Sessions are managed with secure, HTTP-only cookies with SameSite=Strict. Session tokens have limited lifetime and are rotated on sensitive operations.

4. Infrastructure Security

Hosting: Veklom runs on Hetzner infrastructure in Germany. Our deployment follows industry best practices for container security and network isolation.

Network Security: Services are isolated within private networks. Public-facing endpoints are protected by Cloudflare and rate-limited.

Dependency Management: We regularly update dependencies and monitor security advisories. Critical security patches are deployed within 48 hours of availability.

5. Data Protection

Personal Data: Personal information is processed in accordance with our Privacy Policy and applicable data protection laws (PIPEDA, GDPR).

Workspace Data: Your workspace data, including prompts and outputs, is stored encrypted at rest. You control retention and deletion through Workspace settings.

Payment Data: Payment processing is handled entirely by Stripe. Veklom does not store or process credit card information directly.

5.1 Business Associate Agreement (BAA)

Veklom offers a Business Associate Agreement (BAA) to customers subject to HIPAA requirements. Our BAA covers the processing of Protected Health Information (PHI) through the Veklom platform and ensures compliance with HIPAA Security Rule and Privacy Rule requirements.

Scope: The BAA covers all Veklom services that may process PHI, including Workspace, Playground, and governed execution features. PHI is processed only when explicitly authorized by the customer and is stored encrypted at rest and in transit.

How to Obtain: To request a BAA, contact us at founder@company.com. Include your organization name, contact information, and a brief description of your use case. BAAs are available at no additional cost for customers on the Regulated tier and above.

Compliance Commitments: Under the BAA, Veklom commits to implementing appropriate administrative, physical, and technical safeguards to protect PHI, reporting breaches within the required timeframe, and making our policies and procedures available for audit by covered entities.

6. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please email us at security@veklom.com.

What to include: A detailed description of the vulnerability, steps to reproduce, and proof of concept (if applicable).

What to expect: We will acknowledge receipt within 48 hours and provide regular updates on our remediation progress. We aim to resolve critical issues within 7 days.

Safe Harbor: We will not pursue legal action against researchers who follow responsible disclosure guidelines and do not harm user data or disrupt services.

7. Incident Response

In the event of a security incident affecting personal information, we will:

• Notify affected users within 72 hours of discovery (or as required by applicable law)
• Provide details of what happened and what data was affected
• Outline steps we are taking to remediate and prevent recurrence
• Notify applicable regulatory authorities as required

8. Best Practices for Users

Account Security: Use strong, unique passwords. Enable MFA. Review your account activity regularly.

API Keys: Rotate API keys regularly. Never commit API keys to version control. Use environment variables or secret management.

BYOK: Only use API keys with appropriate permissions. Rotate keys if you suspect compromise.

Workspace: Be mindful of what you share in your workspace. Use the Vault for sensitive credentials.

9. Third-Party Security

We use vetted third-party services including Stripe (payments), Resend (email), and infrastructure providers. All third-party processors are subject to data processing agreements and security assessments.

10. Contact

For security-related inquiries: security@veklom.com

For general inquiries: hello@veklom.com

© 2026 Veklom. Security policy last updated May 25, 2026.