Security at Veluxa
Last updated: January 2026
Encryption
All credentials (Telegram tokens, WhatsApp access tokens, OpenAI keys) encrypted at rest with libsodium. TLS 1.3 in transit. Workspace-scoped — no cross-tenant reads possible.
Authentication
Clerk for identity (email + Google + custom IdP on Enterprise). MFA supported. Session cookies with Secure + HttpOnly + SameSite.
Authorization
Role-based: Owner / Admin / Editor / Viewer. Every mutation is authorized at the API layer. All reads are scoped to the active workspace.
Infrastructure
AWS us-east-1, Cloudflare CDN + WAF. Principle of least privilege on IAM. No human access to production databases except via audited bastion.
Audit
Every API call is logged. Moderation decisions are logged. Admin actions are logged. Audit logs exportable as CSV. Retention: 1 year default, longer on Enterprise.
Reporting vulnerabilities
[email protected] — we respond within 24 hours. We do not have a bug bounty yet but we will thank you publicly and buy you something nice.