Security
Your records stay yours, and we say plainly how they are protected.
Verelume handles sensitive institutional records. This page describes the controls the product is built around and separates what is in place today from what is planned. We do not claim certifications or capabilities we do not have.
In place today
Controls the platform is built on.
These are the protections in place now. If you are evaluating Verelume, we are glad to walk through the specifics of any of them.
Organization-level data separation
Each organization's records are separated so one customer's data is not exposed to another.
Row-Level Security
Access to tenant data is enforced at the database layer with row-level security policies, not only in application code.
Private storage
Uploaded records are held in private storage. They are not publicly accessible by URL.
Authenticated access only
Reaching your organization's records requires an authenticated session. There is no anonymous access to customer data.
Encryption in transit and at rest
Traffic is served over TLS, and data is encrypted at rest by our infrastructure provider.
Least-privilege access control
Internal access to systems is limited to what is needed to operate and support the product.
Planned
On the roadmap, described honestly.
These are directions we intend to pursue. They are not available today, and we will not describe them as if they were.
Independent security assessment
We plan to pursue third-party review as the product and customer base grow.
Customer-facing audit and access logs
Being developed so administrators can review activity within their own organization.
Granular roles and permissions
Planned finer-grained control over who in your organization can see and ask what.
Single sign-on (SSO)
Planned for organizations that require it. Not available today.
What we do not claim
Just as important as what we do.
Trust is easier to extend to a vendor that is clear about its limits. As of today, Verelume does not claim any of the following. If that changes, this page will change with it.
- SOC 2, HIPAA, or ISO 27001 certification
- Completed third-party penetration testing
- Zero-knowledge or end-to-end encryption
- Uptime or availability guarantees (SLAs)
- Data residency guarantees
- Single sign-on (SSO / SAML)
Have a specific security or compliance question? hello@verelume.ai. We would rather give you a precise answer than a reassuring one.
Find the gaps before a buyer does.
Start with a guided Diligence Readiness Assessment, delivered with an advisor. Verelume keeps your records organized and answerable long after the deal closes.