Compliance — Voluntary Security Practices
Last updated: 2026-03-15
Our Commitment to Security and Privacy
We take the security and privacy of your data seriously. Although we are not yet formally certified, we voluntarily align our technical and organisational practices with internationally recognised frameworks.
This page provides a transparent overview of the measures we have implemented and the standards that guide our operations.
GDPR Alignment
The General Data Protection Regulation (GDPR) is the cornerstone of European data-protection law. The following measures reflect our alignment with its core requirements:
- Principles (Art. 5 GDPR) — Processing in accordance with lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
- Lawful Basis (Art. 6 GDPR) — Every processing activity is mapped to a valid legal basis, including explicit consent where required.
- Data Minimisation — We collect only the personal data strictly necessary for the stated purpose and delete it when it is no longer needed.
- Data-Subject Rights — Users may exercise their rights to access, rectification, erasure, restriction, portability and objection at any time.
- Processor Agreements (Art. 28 GDPR) — All third-party processors are bound by data-processing agreements that meet GDPR requirements.
- Encryption — Personal data is encrypted in transit (TLS 1.2+) and at rest where technically feasible.
- Privacy by Design (Art. 25 GDPR) — Data-protection principles are embedded into system architecture and default settings from the outset.
- Breach Notification — In the event of a personal-data breach we are committed to notifying the competent supervisory authority within 72 hours and informing affected individuals without undue delay, as required by Art. 33/34 GDPR.
ISO 27001 Alignment
ISO/IEC 27001 defines the requirements for an information-security management system (ISMS). Our technical controls are aligned with its key objectives:
- Access Control — System and data access is restricted to authorised personnel through separated user and administrator roles, with admin privileges re-verified on every request.
- Password Policy — Passwords are hashed using modern algorithms (bcrypt / Argon2) and must meet minimum complexity requirements.
- Session Management — Sessions are time-limited, bound to a device fingerprint, periodically regenerated and fully invalidated on logout.
- HTTPS Enforcement — All traffic is served over HTTPS with HSTS headers to prevent protocol-downgrade attacks.
- Security Headers — Responses include Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and Referrer-Policy headers.
- Rate Limiting — API and authentication endpoints are rate-limited to mitigate brute-force and denial-of-service attacks.
- Audit Logging — Security-relevant events such as logins, authentication failures and permission changes are logged with timestamps and pseudonymised identifiers. We are progressively expanding audit coverage across all services.
- Input Validation — All user input is validated and sanitised server-side to prevent injection, XSS and other common attack vectors.
SOC 2 Alignment
SOC 2 defines trust-service criteria for managing customer data. We align our practices with the following principles:
- Security — Systems are protected against unauthorised access through web-application firewalls, rate limiting, CSRF protection and session fingerprinting.
- Availability — Infrastructure is hosted with providers that offer high-availability guarantees. We are evaluating additional redundancy and backup measures as the platform grows.
- Confidentiality — Confidential data is classified, access-controlled and encrypted to prevent unauthorised disclosure.
- Privacy — Personal information is collected, used, retained and disclosed in conformity with our privacy policy and applicable regulations.
Infrastructure and Sub-Processors
We rely on carefully selected third-party providers, each chosen for their own compliance posture:
- Hosting — Application servers are hosted in EU data centres operated by providers that maintain ISO 27001 and SOC 2 certifications.
- CDN and DDoS Protection — Content delivery and DDoS mitigation are provided by a globally distributed network with enterprise-grade security.
- Payment Processing — All payment transactions are handled by a PCI DSS Level 1 certified processor; no card data is stored on our servers.
- Analytics and Tracking — We do not use any third-party analytics services, tracking pixels or cross-site cookies. Aggregate usage data is collected internally and anonymously where needed.
Contact
If you have questions about our security practices or wish to report a vulnerability, please contact us via the details provided on our imprint page.
privacy@veleiras.com
This page describes voluntary security practices. It does not constitute a legal guarantee or formal certification.
← Back to Veleiras