Security & trust

Built so the wrong things cannot happen.

Audit-grade isn't a feature added late. It's the floor every other floor sits on. Below: how the platform is built, where it's hosted, and what we can — and can't — claim today.

01 / Hosting

Hosted on Microsoft Azure.

Cloud provider: Microsoft Azure (Azure Container Apps for the API tier, Azure Functions for the worker tier).
Region selection: Customer-selectable at provisioning. Canada Central, US East/West, EU West, UK South, Australia East available today; additional regions on request.
Data residency: Customer data stays in the chosen region. Cross-region replication only for backup, never for live read paths.
Network isolation: All inter-service traffic over Azure VNet integration. No service exposes a public endpoint other than the API gateway.
Datastore: Azure SQL with Transparent Data Encryption, geo-redundant backups, point-in-time restore to any second within the retention window.
Messaging: Azure Service Bus with managed identities. No connection strings in code or environment variables in production.

02 / Encryption

Encrypted at every layer.

In transit: TLS 1.3 for all client and inter-service traffic. HSTS enabled. Older protocols disabled at the load balancer.
At rest: Azure SQL Transparent Data Encryption (AES-256). Storage-level encryption on all blob and file storage.
Per-tenant keys: Key Vault holds tenant-scoped keys for any data flagged sensitive. Rotation supported. Bring-your-own-key on the enterprise tier.
Secrets: All credentials and connection strings in Azure Key Vault. No secrets in source control. Single-use callback secrets purged on terminal status.
Backups: Encrypted with the same keys as live data. Backup access logged separately from production access.

03 / Tenancy

Multi-tenant, properly.

Tenant isolation is enforced at the service layer, not via global query filters. Every read and write passes OrgId explicitly. An audit reads a single boolean — was OrgId applied? — instead of a chain of filter assumptions.

OrgId enforced on every API call via IOrganizationContext.
Optional SubOrgId honored for departmental scoping where applicable.
OrgValidationMiddleware rejects writes with mismatched OrgId at the boundary.
Cross-org references in payloads return 400 with the failing field named.
Database row-level isolation via tenant-scoped indexes. No shared rows across tenants.
Per-tenant data export available on request; no data lock-in.

04 / Audit-grade

What "audit-grade" actually means.

Append-only by enforcement

The stock ledger is protected by INSTEAD OF UPDATE/DELETE triggers and a REVOKE on the table itself. Bypassing the API can't bypass the ledger.

Temporal tables

Most aggregates use SQL Server temporal history. Point-in-time queries are native — no application-side audit logging needed.

Signed change history

Every change is attributed to the user or process that made it, signed and dated immutably.

Idempotent ingestion

Stock movement endpoints reject requests without an Idempotency-Key. A repeat with the same key returns the original ledger row.

05 / Compliance posture

Where we are. Where we're going.

We won't claim a certification we don't hold. The table below is what's actually true today and what's actually on the roadmap.

Standard	Status	Detail
GDPR-aware design	Compliant	Data subject access, erasure, and portability supported. DPA available on request.
Designed to SOC 2 controls	In progress	Type I audit scheduled for Q4 2026. Existing controls map to the SOC 2 Trust Services Criteria.
ISO/IEC 27001	On the roadmap	Target certification 2027 once SOC 2 Type II is in place. Internal controls built against the framework today.
ISO 55000 (asset mgmt)	Designed against	Platform shape mirrors the standard's recommended structure. Useful for customers pursuing certification themselves.
HIPAA	Not pursued	Not currently in scope. Talk to us if your use case requires it.
PCI-DSS	Out of scope	Velaurum doesn't process payment card data.

Backups

Continuous transaction log shipping. Point-in-time restore to any second within 35 days (configurable to 365 days on enterprise tier). Weekly full-backup geo-replicated.

Disaster recovery

RTO target 4 hours, RPO target 15 minutes. Annual DR exercise conducted with documented results. Customer-facing post-mortem on any incident exceeding RPO.

Incident response

On-call rotation 24/7 for production. Customers notified within one hour of confirmed material incident. Post-incident review shared within 5 business days.

Procurement question we didn't answer here?

Send us your security questionnaire, your DPA template, or your specific control mapping. We'll respond with the actual answer, not a deflection.

Talk to procurement