Security at Veniara

All data is encrypted at rest using AES-256 encryption. Data in transit is protected with TLS 1.3. File uploads are encrypted before storage and decrypted only when accessed by authorized users.

Veniara is hosted on Vercel (frontend) and Supabase (database and storage), both running on AWS infrastructure. Data is stored in US-based data centers with SOC 2 Type II certified infrastructure providers. Database backups are automated daily with 30-day retention.

Every client-facing database query is automatically scoped to your organization using PostgreSQL Row-Level Security (RLS) policies, enforced at the database engine level. Server-side administrative operations use a separate privileged connection that is restricted to specific system functions (user signup, webhook processing) and is not exposed to user-controlled inputs.

Staff members can manage all client data within their organization. Clients can only access their own documents, messages, and invoices. All API endpoints require authentication. All mutations are validated and rate-limited.

• - Input validation on all API endpoints using schema validation (Zod)
• - Rate limiting on authentication endpoints to prevent brute-force attacks
• - Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
• - HTTPS enforced with HSTS (2-year max-age)
• - No sensitive data logged or exposed in error messages

All significant actions (file uploads, downloads, message sends, invoice creation, signature events, login attempts) are recorded in an immutable audit log with timestamps, actor identity, IP address, and action details. Audit logs are available to organization administrators and are retained for the duration of the subscription plus 90 days.

Veniara is designed to help professional services firms meet their compliance obligations:

• - ESIGN Act / UETA: Electronic signatures include timestamped audit trails with IP address, document hash, and signer identity
• - IRS Pub. 4557: Encryption, access controls, and audit logging support WISP requirements
• - IRC §7216: We provide guidance on obtaining required taxpayer consent for third-party data handling
• - Data Processing Agreement: Available upon request for firms with contractual data processing requirements

Note: Veniara provides tools to support compliance but does not provide legal advice. Consult your own legal counsel regarding your specific compliance obligations.

In the event of a security incident that compromises customer data, we will: (a) notify affected customers within 72 hours of confirmed discovery, (b) provide a detailed incident report including scope, affected data, root cause, and remediation, (c) cooperate with customers in meeting their own regulatory notification obligations.