Veles Security Policy

As an application entrusted with pricing and deal data, Veles recognizes the importance of excellent security practices. While a small team, we work to "punch above our weight on security."

General Practices

Our security foundation is built on the following core practices:

• Access to servers, source code, and third-party tools secured with two-factor authentication
• Use strong, randomly-generated passwords that are never re-used
• Employees are given the lowest level of access necessary
• Use automatic security vulnerability detection tools
• Aggressive about applying patches and quick deployment
• Do not copy production data to external devices

Access Control and Organizational Security

Personnel

All employees and contractors sign a Non-Disclosure Agreement (NDA) before accessing any sensitive information.

Authentication

We implement robust authentication measures to protect user accounts:

• User passwords are hashed using bcrypt and are never stored in plain text
• Sessions automatically expire after periods of inactivity
• We offer SSO/SAML authentication via providers like Okta and Azure Active Directory

Data Retention & Logging

Our data retention and logging practices ensure both security and privacy:

• Logs are stored separately in our log monitoring platform
• Logs are retained for 30 days, then permanently deleted
• Application analytics can be permanently deleted upon request

Vulnerability Detection

We maintain proactive security measures through:

• Regular scanning of client and backend systems for known security vulnerabilities
• Rapid patching and redeployment of vulnerable dependencies

Hosting Infrastructure

Our backend is hosted on Heroku, which operates on Amazon Web Services infrastructure. Our hosting provider maintains the following accreditations:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

User Data Collection

We collect minimal data necessary for product improvement and support:

• Sign-in and sign-out events
• Feature interactions
• Crashes and errors
• Users are identified by email address and name only

Employee Background Checks

All employees undergo security screening including:

• Signing of Non-Disclosure Agreements
• Background checks before starting employment

Security Contact

For security-related inquiries, vulnerability reports, or other security concerns, please contact our security team at security@getveles.com.