Security FAQ
Common security questions about Velnoro's data access, storage, and compliance posture.
Common security questions about Velnoro's data access, storage, and compliance posture.
Frequently Asked Questions
Q: What API permissions does Velnoro require? Velnoro requires exactly two permissions, both read-only. Microsoft Graph Organization.Read.All (Application) validates your tenant metadata. Power Platform ResourceQuery.Resources.Read (Delegated) inventories your apps, flows, agents, and environments. A formal audit confirmed zero unused permissions and zero overreach.
Q: Can Velnoro modify, create, or delete anything in my tenant? No. All access is strictly read-only. The permissions Velnoro requests do not grant write access to any Microsoft API surface. Velnoro never writes to, modifies, or deletes anything in your Microsoft tenant.
Q: Can Velnoro read my flow definitions or app code? No. Velnoro uses the Power Platform Inventory API, which returns resource metadata only (names, types, owners, dates). Flow definitions and app source code are not accessible through this API.
Q: Does Velnoro access Exchange, Teams, SharePoint, or OneDrive? No. Velnoro does not request permissions for Exchange, Teams, SharePoint, OneDrive, or any Microsoft 365 workload. Access is limited to tenant metadata (Graph) and Power Platform resource inventory.
Q: Does Velnoro support multi-factor authentication (MFA)? Yes. Velnoro supports MFA for user sign-in. Users can sign in with email/password, Google OAuth, or Microsoft OAuth, and identity linking allows connecting multiple sign-in methods to a single account.
Q: How is tenant isolation enforced? Through Row-Level Security (RLS) policies at the database level. Every customer data table is scoped to a single account. This is database-engine enforcement, not application-level filtering that could be bypassed. A formal audit confirmed 100% RLS coverage across all customer data tables.
Q: Where is my data stored? In a Supabase-managed PostgreSQL database hosted in the US. Credentials are encrypted with AES-256-GCM at the application layer before storage. All data at rest is protected by AES-256 disk encryption.
Q: What is Velnoro's data retention policy? Scan data is retained for 30 days on the free tier and 365 days on the Business tier. Retention is enforced automatically by a daily background job. Credential data is retained as long as the connection exists. When you delete your account, all data is permanently removed.
Q: Does Velnoro use AI to process my data? No. Velnoro does not send your data to any AI service. All processing (health scoring, governance analysis, reporting) happens within Velnoro's own application logic.
Q: What happens if Velnoro is breached? Customer credentials are encrypted at rest with application-layer AES-256-GCM. Even with database access, an attacker cannot read credential fields without the encryption key (stored separately in environment variables). All other data is protected by AES-256 disk encryption. Velnoro's access to your tenant is also limited to read-only metadata, so a breach cannot result in modifications to your platform resources.
Q: Can I get a SOC 2 report? SOC 2 certification is on the compliance roadmap. Contact us for current security documentation and to discuss your compliance requirements.
Q: Is there a Data Processing Agreement (DPA)? Yes. Our DPA is available at /dpa. It covers tenant metadata processing, customer-entered content in Documents, subprocessor disclosures, breach notification (72-hour), data return/deletion, and international transfer mechanisms (SCCs).
Q: Does Velnoro store any of my business data? Velnoro's tenant scanning collects metadata only (names, types, owners, dates). However, the Documents feature allows your team to enter governance documents, fill out templates, and upload files. All Documents content is protected by AES-256 disk encryption at rest, RLS tenant isolation, private storage with signed URLs, and file validation. Do not enter regulated data (health records, payment cards, government IDs) unless you have independently determined compliance.
Q: Does Velnoro guarantee my governance program will be successful? No. Velnoro is an intelligence and visibility tool. It does not enforce governance policies in your Microsoft tenant, prevent users from creating applications, or guarantee that identified risks are comprehensive. You are solely responsible for governance decisions, program outcomes, and compliance of your own Power Platform environment.
Q: How do I contact Velnoro about security concerns? Email support@velnoro.com for security questions, or visit the in-app Help menu for additional contact options.
Q: Need to prove Velnoro's security posture to your security team? Share the in-app Trust Center and the Security and Trust guide.