Security is not a feature.
It's the product.
Enterprise clients trust Velnoro with access to their Microsoft tenants. Every decision we make reflects that responsibility.
Security principles
Read-only access guarantee
Velnoro never writes to or modifies anything in your Microsoft tenant. Our API permissions are strictly read-only. Your data stays under your control.
Metadata only, never source code
We store asset metadata (names, types, owners, dates, connectors). We never store flow definitions, app source code, or chat content.
AES-256-GCM encryption
Sensitive fields (client secrets, client IDs, access tokens) are encrypted at rest in the application layer using AES-256-GCM. Encryption keys are stored in environment variables, never in the database.
Row-level tenant isolation
Every database query is filtered by tenant. Row-level security policies ensure one customer can never access another customer's data, even in error states.
Minimal permissions
Velnoro requests only the Microsoft Graph and Power Platform API permissions it needs. No global admin consent required. Scoped to read-only data access.
Authentication on every endpoint
No API route is accessible without valid authentication. Session tokens are validated on every request. Auth middleware protects all routes.
Infrastructure
Hosting
Application hosted on Vercel (AWS us-east-1). Edge-optimized CDN for static assets.
Database
Supabase (PostgreSQL on AWS). Encrypted at rest. Automatic backups. Point-in-time recovery.
Data residency
Application and database hosted in US-East. Contact us for data residency requirements.
Compliance roadmap
We are actively working toward SOC 2 Type II certification. Contact us for our current security posture documentation.
Security questions?
Contact our team at security@velnoro.com for security questionnaires, penetration test results, or compliance documentation.
Contact security team