Security & trust

The audited boundary between your stack and the card networks.

Veliro is the credential vault. Your application stops touching PANs from day one, and you pick up the audited surface procurement expects. Network tokens are provisioned, lifecycled, and rotated inside a boundary built to Level 1 PCI service-provider scope, designed to be inspected, not taken on trust.

Built to PCI DSS Level 1SOC 2 Type II · in progressISO 27001 · in progressPSD2 RTS aligned

Credential boundary · audited surface

Live trace

Scroll horizontally on narrow viewports to read the full diagram.

Merchant · SAQ-AMerchant UIno PAN on your servers
JWE · /v1/tokens
Level 1 PCI · credential layerVeliro vault & cryptogramstenant-isolated · HSM-backedsingle-use cryptograms · 5-min TTL
provision · mTLS
MastercardMDES
VisaVTS
American ExpressAETS
scheme-issued · your TRID
Downstream · rotatablePSP / acquirertok_* + cryptogram only

Scope
Your stack stays SAQ-A
Secure Fields keeps every card field off your servers. PCI scope contracts to the lightest self-assessment from day one.
Ownership
Credentials under your TRID
Network tokens are scheme-issued to you, not your PSP. PAN fallback sits in Veliro's Level 1 PCI vault, never in a processor's.
Portability
PSPs become rotatable
Same tok_* on every acquirer. Switching, adding a backup, or renegotiating is a connection_id change, not a re-tokenization project.

Architecture posture

Four commitments the architecture makes, before any policy document does.

Compliance certificates describe a system. These are the structural decisions inside that system: where the keys live, how the credentials are scoped, and what a lifecycle event actually proves.

Tenant-isolated vault · BYOK optional
Every customer gets a single tenant-isolated vault with a tenant-scoped data encryption key (DEK). Bring your own KMS key on the enterprise tier; we wrap our DEK with it and never store it outside your KMS.
Cryptographic key handling · HSM-backed, rotated
Tenant keys live in FIPS 140-2 Level 3 HSMs, with a hardware root of trust on every signature. Automatic rotation every 90 days for signing keys, every 180 days for vault DEKs, with cryptographic continuity across rotations.
Network-direct cryptograms · retrieved, never exposed
TAVV (Visa), UCAF (Mastercard), and AEVV (Amex) cryptograms are retrieved directly from the network per transaction and returned as single-use values with a 5-minute TTL. They are never reused, never stored after issue, and never appear in logs.
Signed lifecycle events · replayable from snapshot
Every credential state change emits an HMAC-signed event with the tenant key. Replayable from any vault snapshot for audit reconciliation, with a verifiable hash chain that lets you prove no event was inserted, dropped, or reordered.

Attestations & certifications

The artifacts your procurement team will ask for first.

Veliro is built to Level 1 PCI service-provider scope. Each row in the table below shows current status. As reports complete they become available under NDA via the trust center; we are happy to share control documentation and audit timing with prospective customers today.

Compliance certifications, scope, status, and evidence
Certification	Scope	Status	Evidence
SOC 2 Type II	Security, availability, confidentiality controls	In progress · observation window underway	Request status
PCI DSS v4.0 Level 1	Vault, tokenization, cryptogram, lifecycle services	Scope locked · QSA assessment in progress	PCI scope
ISO/IEC 27001:2022	ISMS · keys, SDLC, vault tenancy, incident response	ISMS implemented · certification underway	Request status
PSD2 RTS · EU SCA	EBA RTS authentication delegation modes	RTS-aligned · self-attested	Attestations

SOC 2 Type II: ScopeSecurity, availability, confidentiality controls; StatusIn progress · observation window underway; EvidenceRequest status
PCI DSS v4.0 Level 1: ScopeVault, tokenization, cryptogram, lifecycle services; StatusScope locked · QSA assessment in progress; EvidencePCI scope
ISO/IEC 27001:2022: ScopeISMS · keys, SDLC, vault tenancy, incident response; StatusISMS implemented · certification underway; EvidenceRequest status
PSD2 RTS · EU SCA: ScopeEBA RTS authentication delegation modes; StatusRTS-aligned · self-attested; EvidenceAttestations

Trust center access PCI scope Subprocessors

Encryption & vault design

One vault per tenant. One key custody model. No shared cryptographic state.

Run procurement on the evidence: Veliro is the only PAN holder in your transaction path. The merchant stays SAQ-A through the Secure Fields SDK; everything below sits inside our PCI boundary.

The vault is a per-tenant cryptographic container, not a shared database with a tenant column. Every primitive below (data, keys, tenancy, scope) is bound to your tenant key and audited under our PCI Report on Compliance.

Cross-tenant lookup is impossible by construction, verified by static analysis on every release, and reviewed as part of our PCI assessment.

Vault tenancy: Each customer is provisioned a single tenant-isolated vault. No shared vault, no cross-tenant state, no global lookup surface across tenants.
Token namespace: Token identifiers are scoped to your tenant. No cross-tenant token visibility, no shared sequence, no global lookup surface: the boundary the static-analysis check above enforces on every release.
Data at rest: AES-256-GCM with a per-tenant data encryption key. DEKs are wrapped by an HSM master key in FIPS 140-2 Level 3 hardware.
Data in transit: TLS 1.3 with modern cipher suites for all customer-facing endpoints. Mutual TLS for connections into Mastercard MDES, Visa VTS, and American Express AETS.
Key custody: Tenant keys are HSM-resident and never exportable in plaintext. Bring your own KEK on the enterprise tier; we wrap our DEK with it and call your KMS for unwrap operations, so key revocation is enforced on your side.
PAN scope: The Veliro vault is the only PAN holder in the credential path. Cards enter through the Secure Fields hosted iframe and never touch your servers, keeping the merchant integration eligible for PCI DSS SAQ-A.

Architecture posture Attestations Trust center access

Incident response

A practiced playbook with named owners and time-bound commitments.

A senior engineer is on call 24×7, with escalation paths defined per network. The steps below are the commitments we hold ourselves to and rehearse in tabletop exercises.

01 · Detect

Automated signals, human escalation

Datadog and our internal vault telemetry feed a PagerDuty rotation with an on-call acknowledgement target. Anomaly thresholds are tuned per network and reviewed monthly with the networks engineering team.

02 · Triage

Incident commander on-deck in 15 minutes

Severity is classified against a published matrix (S0–S3). An incident commander opens a war room, designates a scribe, and confirms whether customer data, cryptographic keys, or PAN scope is implicated.

03 · Notify

Customer notification within 24 hours

Confirmed incidents trigger written customer notification within 24 hours of confirmation, with hourly updates on S0/S1. The public status page at status.veliro.com is updated within 15 minutes of detection.

04 · Remediate

Post-incident review, published within 5 days

Every S0/S1 closes with a written post-incident review, a remediation backlog with named owners, and a quarterly tabletop exercise to drill the same scenario class across the engineering team.

Subprocessors

The full list of providers in the credential path, and what they touch.

Subprocessors are reviewed annually, contractually bound by our DPA, and listed in full below. None of them have access to plaintext PANs or cryptographic key material.

Customers are notified 30 days before any subprocessor change. Subscribe to the subprocessor mailing list from the trust center to receive change notifications by email; material changes also appear on the status page.

Subprocessor	Purpose	Location
Amazon Web Services	Vault and platform infrastructure. PAN-bearing workloads stay within the Veliro vault boundary.	United States
Cloudflare	Edge termination, WAF, and DDoS protection in front of the public API. No PAN data is processed at the edge.	Global edge · TLS terminates at vault region
Cockroach Labs	Managed distributed SQL for the platform control plane — merchant accounts, token references, webhook subscriptions, and audit metadata. Plaintext PANs and cryptographic key material never leave the Veliro vault.	US (multi-region)
PagerDuty	On-call routing and incident escalation. Receives operational metadata only. No customer or cardholder data.	US (sub-processor of record)
Datadog	Operational telemetry, log aggregation, and APM. Configured with strict redaction; PAN-bearing payloads are blocked at the agent.	US · EU (regional ingestion)
Google Workspace	Corporate email, documents, and calendar for the Veliro team. Outside the CDE; no cardholder data and no production credential material.	US
Slack	Internal team messaging. Outside the CDE; cardholder data is excluded from channels and DMs by policy.	US
Google Cloud	Non-CDE engineering and analytics workloads only. The credential path, vault, and PAN-bearing infrastructure remain entirely on AWS.	US

Reporting vulnerabilities

One channel, coordinated disclosure, named acknowledgements.

Security researchers are how we keep getting better. The terms below are the contract we ask you to work under in exchange for legal safe harbor and public credit on the hall of fame.

Send vulnerability reports to security@veliro.com, encrypted with the PGP key on the right. We will acknowledge receipt within one business day, triage within three business days, and keep you updated on remediation progress weekly until close-out.

Coordinated disclosure terms: a 90-day window from acknowledgement to public disclosure, extendable by mutual agreement when remediation is materially complex. Valid reports are credited on our public hall of fame (with your permission and preferred handle) and routed through the appropriate bounty program when applicable.

In scopeThe Veliro API (api.veliro.com), the Veliro Console, the Secure Fields SDK, and our marketing surfaces under *.veliro.com.
Out of scopeCustomer applications, third-party services, social-engineering of staff, denial-of-service tests against production, and physical attacks against our offices.
Safe harborGood-faith research conducted under these terms will not trigger legal action under DMCA, CFAA, or equivalent statutes in the EU, UK, and APAC jurisdictions where we operate.

Procurement artifacts

What procurement asks for next, after the attestations.

SOC 2, PCI, and ISO status live in section 02 above. The list below covers the legal and operational documents procurement usually requests after the attestation table. Sign once for continuous access to completed reports under NDA.

Data Processing Addendum
Standard DPA aligned to GDPR Article 28 and UK GDPR. Standard Contractual Clauses and EU-US Data Privacy Framework attached.
Request access
Service Level Agreement
Uptime target with service credits, written into paid agreements and measured per a published methodology. Live status at status.veliro.com.
Request SLA
Subprocessor change notifications
Full provider list in section 05. Customers notified 30 days before any change; subscribe from the trust center for email alerts.
Review list
Attestation reports (SOC 2 · PCI · ISO)
Current status and evidence links are in the attestations table. Request audit timing or control documentation while formal reports are in progress.
Request status

Run procurement on the evidence, not the sales call.

Every report, certificate, AoC, and subprocessor change is published with current status under one access decision. Sign once, get continuous visibility for the duration of the engagement.

See procurement artifacts Email security →