Trust

We store the minimum to do the job. We're transparent about the rest.

Vera is a small team building software for cybersecurity vendors and MSSPs. We don't hold a SOC 2 today and we're not going to pretend otherwise. What we will do is tell you exactly what we collect, where it lives, who can see it, and what happens to it when you leave.

What we store

We keep the minimum we need to run your workspace. Nothing more, nothing speculative.

  • Account info — your name, work email, and Stripe customer ID
  • Workspace config — your ICP rules, watchlist accounts, and integration tokens (encrypted)
  • Generated briefs and prospect dossiers, kept until you ask us to delete them

What we don't do

If we don't say we do it, we don't.

  • We do not train AI models on your data
  • We do not resell, share, or cross-pollinate intelligence between clients
  • We do not store payment card details — Stripe handles all of that
  • We do not call any LLM provider that retains your prompts for training

Encryption & access

Standard practice, applied consistently.

  • All traffic over TLS 1.2+
  • Application data encrypted at rest by Supabase (managed Postgres)
  • Integration tokens (Slack, HubSpot, etc.) encrypted at the application layer
  • Internal access is role-based and limited to the engineers actively building Vera

Retention & deletion

Your data lives as long as your subscription. We delete it on request, and on cancellation.

  • Workspace data is retained while your subscription is active
  • 30 days after cancellation, all client data is permanently deleted
  • Subject access and deletion requests are honoured within 30 days
  • A Data Processing Agreement (DPA) is available on request

Architecture & isolation

Vera is a logical multi-tenant SaaS — the same architecture used by Salesforce, HubSpot, Notion, Linear, Stripe, and most modern B2B software. One managed Postgres instance (Supabase, EU region), with strict per-tenant boundaries enforced at the database layer. We don't pretend to give every customer a dedicated database — what we do is enforce isolation with discipline.

How isolation is enforced
  • Every customer-data table has Row-Level Security (RLS) policies enabled in Postgres
  • Each row carries an org_id and policies require it to match your authenticated org membership before returning the row
  • No application bug can override RLS — the rule is enforced by Postgres itself on every query from the browser
  • Unauthenticated requests cannot read any customer-specific data — only the public threat intelligence feed
What stays per-tenant
  • Your ICP configuration, buyer profiles, plays, and tone-of-voice
  • Your leads, signals, watchlist, and the GTM briefings Vera generates on them
  • Your enrichment usage, activity log, and team membership
  • Your integration tokens (CRM, Slack, n8n, etc.), encrypted at the application layer
What's shared (and why that's fine)

Public threat intelligence — CVEs from NVD, the CISA Known-Exploited-Vulnerabilities catalogue, NCSC bulletins, and public breach news — lives in a single shared layer and is correlated to your tenant at query time. No customer-specific data is ever combined into this layer, and the data is already public.

Sub-processors

Updated · 2026

The third-party services we rely on. Infrastructure providers are named below — each is enterprise-grade with their own published practices. Our data-intelligence providers are disclosed by category here, with the specific named list shipped in our Data Processing Agreement to active customers and prospects under NDA.

Infrastructure
StripePayment processing · PCI DSS · we never see card numbers
SupabaseApplication database & auth · EU region · encryption at rest
AnthropicLLM calls · no prompt retention for training on the standard API
ResendTransactional email delivery · authenticated sender
Data intelligence
B2B contact & company intelligenceVerified prospect contact data and firmographics
Public signal intelligenceHiring, funding, news, tech-stack, and partnership signals
Email verificationDeliverability and validation checks before any outreach
Public-source research infrastructureDeep research over public web content and threat feeds

The full named list of data-intelligence providers — and our complete Data Processing Agreement — is available to customers and serious prospects. Email hello@veraa.ai to receive it.

Today vs. tomorrow

We'd rather be honest than performative.

Vera is early. We don't hold SOC 2 Type I or ISO 27001 yet — both are on the roadmap, and we'll publish progress as we begin the audit. In the meantime: a DPA is available on request, our subprocessor list is published above, and the team building Vera is small enough that you can email Joe directly with any question.

Get in touch

Security questions, DPA requests, or vulnerability disclosures — email hello@veraa.ai. We respond within one business day.

Email Joe