Security

Security at every layer.

Veriova is built with security-first principles so you can trust it with your most sensitive engineering context.

Encryption at rest

All data encrypted at rest using AES-GCM. Each account's vector embeddings and memory items are stored in an isolated namespace.

All data in transit protected with TLS 1.3.

Session authentication

Magic link authentication — no passwords stored. Short-lived sessions with automatic expiry. Per-project API keys scoped to specific resources.

RBAC and audit logs

Four roles: owner, admin, editor, reader. Every API call, memory change, and key event is logged with timestamps and actor attribution.

Audit logs are append-only and cannot be modified.

Secret redaction

Every outbound MCP response is scanned for sensitive patterns before it reaches the developer. Redacted patterns include:

  • Postgres and database URLs
  • AWS access keys and secrets
  • Bearer tokens and API keys
  • Private keys (RSA, EC, Ed25519)
  • JWTs and session tokens

Drift detection

Continuously monitors your stored knowledge for inconsistencies between what your AI believes and what is actually in your codebase.

Drift alerts are surfaced in the dashboard with severity levels from INFO through CRITICAL.

Self-hosting

Run Veriova on your own infrastructure with Docker Compose. Bring your own Postgres database and MinIO object storage. No data leaves your environment.

Full self-hosting guide available at /self-hosting.

SOC 2

SOC 2 Type II — on our roadmap

We are building toward SOC 2 Type II certification, planned for 2026. If compliance requirements are blocking your evaluation, contact us to discuss your timeline.

Responsible disclosure

Found a security issue?

We take security reports seriously and respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had a chance to address them.

security@veriova.com

Security is a shared responsibility

While Veriova provides secret redaction and drift detection, we recommend treating AI tool outputs as untrusted input in production systems. Do not rely solely on Veriova's redaction for secrets that must never leave your environment — use self-hosting or keep those secrets out of AI context entirely.