Trust Center

How Velnoro protects your Microsoft tenant and your data

Read-Only Access Guarantee

Velnoro never writes to, modifies, or deletes anything in your Microsoft tenant. Every API call is a read operation. You can verify this in your Entra ID sign-in logs, where all Velnoro activity appears under your own app registration.

Metadata Only (Tenant Scanning)

When scanning your Microsoft tenant, we collect only resource metadata: names, types, owners, environments, and creation dates. Velnoro never accesses flow definitions, app source code, business data processed by your apps, or chat content. The Program Resources feature additionally allows your team to enter governance documents and upload files, which are stored in your account with the same RLS isolation and access controls.

AES-256-GCM Encryption

Your Azure credentials (client ID, client secret, and OAuth tokens) are encrypted at the application layer using AES-256-GCM authenticated encryption before they reach the database. Encryption keys are stored in environment variables, never in the database or source control. All other data at rest is protected by Supabase-managed AES-256 disk encryption.

Tenant Isolation

Every database table enforces row-level security policies. Queries are automatically scoped to your account. One customer can never access another customer's data, even in error conditions. Our most recent RLS audit confirmed 100% coverage across all tenant-scoped tables.

Minimal Permissions

Velnoro requests exactly two API permissions, both read-only. Microsoft Graph Organization.Read.All validates your tenant. Power Platform ResourceQuery.Resources.Read discovers your assets. A formal audit confirmed zero unused permissions and zero overreach.

Data Retention

Free tier scan data is retained for 30 days. Pro plans retain data for 12 months. When you delete your account, all associated data is permanently removed. You can revoke access at any time by removing the app registration from your Entra ID portal.

Infrastructure

Velnoro runs on Vercel (application hosting) and Supabase (managed PostgreSQL with automatic backups). Stripe handles all payment processing. All communications use TLS encryption. No credit card data ever touches Velnoro servers.

Compliance Roadmap

GDPR and CCPA compliance is addressed through Termly-managed consent, a formal Data Processing Agreement, and documented records of processing. SOC 2 Type I certification is on our roadmap. We conduct regular audits of our RLS policies, API permissions, and encryption practices.

Subprocessors

Velnoro uses the following third-party services to deliver the platform. All subprocessors are hosted in the United States.

VercelApplication hosting, serverless functions, edge network

SupabaseManaged PostgreSQL database, authentication, storage

InngestBackground job orchestration (scan scheduling, data retention)

SentryApplication error monitoring (PII scrubbing enabled)

StripePayment processing (no card data touches Velnoro servers)

UpstashRedis-based rate limiting (no customer data stored)

Security Whitepaper

Our security whitepaper provides a comprehensive overview of Velnoro's security architecture, including encryption, tenant isolation, authentication, data handling, and compliance roadmap. Designed for CISOs and security teams evaluating Velnoro for procurement.

Read the security whitepaper

Need Detailed Security Documentation?

For in-depth security evaluations, we can provide security questionnaire responses, penetration test summaries, detailed infrastructure documentation, and signed security addenda.

Request security documentation package

Questions about our security practices?