Trust & Security.

We protect data with a few simple disciplines: collect the least we can, store it in vendors with strong security postures, encrypt it in transit and at rest, restrict access on a least-privilege basis, and review the whole stack annually. Small surface area is itself a security control.

Velmora is not currently certified to any single framework. Our internal controls library maps to the following standards and we maintain evidence at each control:

SOC 2 (AICPA TSC 2017)

Common Criteria (CC1–CC9) and the Availability and Confidentiality categories.

ISO/IEC 27001:2022

Annex A controls in the four themes (organizational, people, physical, technological).

NIST Cybersecurity Framework 2.0

Govern, Identify, Protect, Detect, Respond, Recover.

CIS Controls v8

Implementation Group 1 across all 18 controls; selected IG2 controls.

OWASP ASVS 4.0

Level 2 for the Velmora site and the production sites we build for clients.

• Written information-security policy, reviewed annually by the leadership team.
• Security awareness training for every team member on hire and annually thereafter.
• Background checks for new hires and long-term contractors (where lawful).
• Acceptable-use, clean-desk, and remote-work policies, signed by all staff.
• Vendor risk review before any new sub-processor is onboarded; annual re-review.
• Documented offboarding checklist that revokes access within 24 hours.

Encryption in transit

TLS 1.2+ everywhere. HSTS preloaded. Strong ciphers only (AEAD).

Encryption at rest

AES-256-GCM (vendor-managed) on production storage at all sub-processors who hold client data.

Key management

Provider-managed keys with annual rotation. We do not hold our own KMS.

Data classification

Public / Internal / Confidential / Restricted, with handling rules per class.

Data minimization

We collect only what we need, retain only as long as necessary (see Privacy Policy § 10).

Anonymization

Analytics data is aggregated; we never store IPs in analytics; case-study metrics are scrubbed of direct identifiers before publication.

• Single Sign-On with mandatory multi-factor authentication on every business-critical tool.
• Hardware-key (FIDO2 / WebAuthn) authentication for high-privilege accounts.
• Least-privilege role-based access; quarterly access review with documented attestation.
• Shared credentials managed in 1Password Business; never sent over email or chat.
• Production access logged and time-boxed via just-in-time elevation.
• No standing root / admin sessions on production systems.

• Production hosting on Vercel, atop AWS in the United States (us-east-1, us-east-2).
• DNS, CDN, and DDoS protection through Cloudflare.
• Network egress to the open internet only over TLS.
• No on-premises servers; no employee laptops storing production data.
• Endpoint protection on every staff laptop, with full-disk encryption and automatic patching.
• Centralized log retention (≤ 30 days) for security and debugging.

• Secure-by-default frameworks (Next.js, Astro) with their security headers enabled.
• Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy.
• Dependencies pinned by lockfile, scanned daily by GitHub Dependabot and weekly by Socket.
• Static analysis (CodeQL) on every pull request.
• Mandatory code review before merge; two-person rule on production deployment.
• Secrets scanning on commit and in CI; pre-commit hooks reject keys.
• OWASP ASVS Level 2 baseline for client production sites.

We engage the following sub-processors. Each operates under a written agreement that requires appropriate technical and organizational measures, confidentiality, and (where applicable) Standard Contractual Clauses for international data transfers.

Cloudflare, Inc. (US)

CDN / DNS / WAF · SOC 2, ISO 27001, ISO 27018, PCI-DSS · EU–US DPF certified

Vercel Inc. (US)

Production hosting · SOC 2 Type II · EU–US DPF certified

Plausible Insights OÜ (EU)

Cookie-less analytics · EU-based, GDPR-by-design · ISO 27001 in progress

Resend, Inc. (US)

Transactional email · SOC 2 Type II · EU–US DPF certified

Stripe, Inc. (US / EU)

Payments · PCI-DSS Level 1 · SOC 1, SOC 2, ISO 27001 · EU–US DPF certified

Google LLC – Workspace (US)

Email and document collaboration · SOC 2/3, ISO 27001/17/18 · EU–US DPF certified

Notion Labs, Inc. (US)

Internal documentation · SOC 2 Type II · EU–US DPF certified

1Password (AgileBits Inc., Canada)

Secret management · SOC 2 Type II · zero-knowledge architecture

GitHub, Inc. (US, Microsoft)

Source-code hosting and CI · SOC 1, SOC 2 Type II · EU–US DPF certified

Loom, Inc. (US, Atlassian)

Video walkthroughs · SOC 2 Type II

We will provide at least 30 days' notice in our client portal before adding a new sub-processor that will process Personal Information. Clients may object on reasonable, documented grounds.

We follow a six-phase incident-response plan based on NIST SP 800-61r3:

1. Preparation — on-call rota, runbooks, tabletop exercises every six months.
2. Detection & analysis — alerting on auth anomalies, dependency CVEs, anomalous network traffic.
3. Containment — rotate credentials, isolate affected systems, preserve forensic evidence.
4. Eradication — remove cause, patch, harden, verify with a senior engineer.
5. Recovery — restore from clean backups, monitor closely for recurrence.
6. Lessons learned — post-mortem within 14 days, action items tracked to closure.

Breach notification timelines are set out in our Privacy Policy and DPA — 72 hours to supervisory authorities (GDPR) and 48 hours to clients.

We welcome security research conducted in good faith. To report a vulnerability:

• Email security@velmoraseo.com with reproduction steps, affected URL, and your contact information.
• Or read our security.txt for the full disclosure policy and PGP key.

Safe-harbor: while you are acting in good faith and within the bounds described in security.txt — no service disruption, no exfiltration of third-party data, no public disclosure before a fix is shipped — we will not pursue civil or criminal action and will treat your report as authorized under the US Computer Fraud and Abuse Act.

We acknowledge reports within one business day, send a triage update within seven calendar days, and publish a fix or remediation timeline within 30 days. We thank credited researchers in a public hall of fame on this page on request.

Recovery Time Objective (RTO)

4 hours for the Velmora site; 24 hours for production client sites we host.

Recovery Point Objective (RPO)

1 hour (rolling encrypted backups).

Backups

Encrypted, daily, retained 35 days. Restore drills every six months.

Geographic redundancy

Two AWS US regions, plus Cloudflare global edge.

Status page

Incidents and maintenance windows posted to clients in their care-plan dashboard.

The following evidence is available to clients on request from security@velmoraseo.com:

• Security & privacy questionnaire responses (CAIQ, SIG Lite, custom).
• Penetration-test summary (annual, conducted by an independent third party).
• Sub-processor SOC 2 / ISO certificates (pass-through under NDA).
• Insurance certificates (cyber, professional liability, general liability).
• Data-flow diagrams for any engagement that processes Personal Information.

We commission an independent SOC 2 Type II audit when we cross 50 active retained clients — currently projected for 2026.

Security questions: security@velmoraseo.com. Procurement diligence: legal@velmoraseo.com. General questions: hello@velmoraseo.com.