Security · Compliance · Data residency

Security posture for regulated EU customers.

Veritor is built for banks, fintechs, and compliance teams whose own customers ask hard questions about data handling. We answer them in writing: encryption, residency, retention, audit access, sub-processors, incident response. DPA available on request.

security@veritor.org security.txt

01 / Encryption & infrastructure

Standard everywhere, no shortcuts

Data at rest

AES-256 encryption on all stored data — PostgreSQL TDE, application-level field encryption for tenant-sensitive payloads, KMS-managed keys with rotation policies.

Data in transit

TLS 1.3 enforced on all public endpoints. mTLS option for Enterprise-tier API consumers. HSTS preloaded.

EU-only residency

Primary region Frankfurt. Polish-data-region (Warsaw) available on Enterprise tier. Dublin standby replica. No US data transfer by default.

Multi-tenant isolation

PostgreSQL Row-Level Security via AuthVault. Per-tenant encryption keys. Cross-tenant access architecturally impossible.

Audit logs

Every API call logged with timestamp, source IP, user, tenant, payload digest. Retained 6 years by default. Customer-accessible via /v1/audit endpoint.

02 / Compliance & certifications

Where we are, where we're going

GDPR

Active

GDPR-compliant by design. Full data-subject rights, EU-domiciled processing, DPA template, SCCs for any non-EU sub-processor.

ISO 27001

Readiness — Q3 2026

Implementing ISMS controls to ISO/IEC 27001:2022. External certification audit scheduled Q3 2026.

SOC 2 Type II

Roadmap — H2 2026

SOC 2 Type II observation window starts Q3 2026 for completion late 2026 / early 2027. Available for customers with US-side procurement requirements.

eIDAS 2.0 QTSP scope

Strategic roadmap

Qualified Trust Service Provider scope for entity attribute attestations. EUDI Wallet integration trajectory.

03 / Disclosure & incident

Talk to us about vulnerabilities

If you've found a vulnerability — please follow our disclosure policy at /.well-known/security.txt. Encrypted email to security@veritor.org preferred. We acknowledge within 48 hours, triage within 5 business days, and post fix-timeline updates per CVD norms.

For incidents affecting your data: customer-facing incident notification within 72 hours of confirmed breach (GDPR Art. 33). For security-relevant non-incidents (e.g., elevated DDoS, suspicious authentication patterns), we publish to status page.