Security

All data is encrypted at rest with AES-256-GCM. All connections use TLS 1.2+. API keys are hashed with bcrypt before storage. Plaintext keys are never stored. Screenshots and traces live in Cloudflare R2 with server-side encryption.

Retention is documented by plan tier. Free: 30-day screenshots, no trace storage. Team: 90-day screenshots, 30-day traces. Business: 1-year screenshots, 90-day traces. Approved baselines are never deleted. Data past its retention limit is permanently deleted within 48 hours.

Vera CI is working toward SOC 2 Type II certification. Foundational controls for security, availability, and confidentiality are in place. We expect to complete the audit in Q3 2026. Contact us if you need a security questionnaire before then.

Vera CI processes data as a data processor on behalf of your organization. Data Processing Agreements (DPAs) are available for all paid plans. Request data export or deletion at any time through support.

Report security vulnerabilities to security@vera-ci.com. We acknowledge reports within 24 hours and resolve critical issues within 72 hours.