How we protect your agency's data.

• TLS 1.3 in transitShipped

  All HTTPS endpoints terminate on TLS 1.3 via Vercel's edge network. HTTP requests are 308-redirected to HTTPS.

• Encryption at rest (database)Shipped

  Neon Postgres encrypts at rest with AES-256. Database snapshots inherit the same key envelope.

• Encryption at rest (object storage)Shipped

  Vercel Blob (audio uploads) is AES-256 by default. Files are scoped per-agency and require a signed URL.

• Secrets in environmentShipped

  API keys, webhook secrets, and database URLs are stored in Vercel's encrypted environment, never committed to the repo.

• Secret rotation runbookIn flight

  Rotation of Twilio, Resend, Retell, Anthropic, and Slybroadcast credentials is currently manual; we're automating quarterly rotation.

• Multi-tenant scopingShipped

  Every authenticated route resolves an agency through requireAgency(); no route reads the user header directly. 31 routes migrated in April 2026.

• Per-agency data isolationShipped

  All CRM tables (companies, deals, activities, notes, clients, brokers) carry agency_id columns with composite indexes; queries filter on agency_id by construction.

• Session validationShipped

  Sessions validate against the database on every request; the middleware fails closed on a database error unless an explicit fallback flag is set.

• Password hashingShipped

  bcryptjs with transparent legacy-hash upgrade on login. No plaintext passwords. No reversible hashes.

• Production cookie hardeningShipped

  Session cookies use the __Host- prefix, Secure, HttpOnly, and SameSite=Lax in production.

• Multi-factor authenticationIn flight

  TOTP-based MFA is on the roadmap for the next 90 days. SSO via Okta / Google Workspace / Azure AD is planned for the Platform tier.

• Append-only event logShipped

  Every dispatch (email, SMS, voice, voice-drop), reply, opt-out, and webhook delivery is recorded in an immutable events table — replayable per contact.

• Per-route capture pipelineShipped

  Errors flow through a single dispatch() chokepoint in src/lib/errors/capture.ts; wiring Sentry / Axiom is a one-function swap.

• Webhook signature verificationShipped

  Resend (Standard Webhooks), Twilio (validateRequest), Retell (HMAC-SHA256), and Slybroadcast (shared secret) all verify signatures before processing.

• Request IDsShipped

  Middleware stamps every request with a 12-hex request ID, propagated downstream and echoed on the response for tracing.

• Audit log UIShipped

  Admin > Audit Log surfaces the events table with filters by aggregate, kind, and date.

• Pre-send compliance gateShipped

  Every outbound send routes through a single gate function (lib/compliance/pre-send-gate.ts) that layers internal suppression → state-rule engine → producer license + carrier appointment → federal/state DNC + RND + litigator scrub → EBR + PEWC consent ledger. Direct calls to a channel adapter that bypass the gate are bug-flagged in code review.

• Producer license + carrier appointment registryShipped

  Per-agency registry of producers, NPN, state licenses (line of authority + expiry), and carrier appointments. The gate denies sends attributed to a producer who lacks an active license in the recipient state, or carrier-specific outreach without a matching appointment.

• Consent ledger + audit-exportShipped

  Append-only consent_records table with verbatim disclosure text, FCC-one-to-one seller_named, signature method, and source URL/IP. /api/compliance/audit-export bundles consent + sends + gate decisions + suppression entries for any contact + date range — class-action subpoena ready in under 5 minutes.

• External scrub interfacesIn flight

  Vendor-agnostic adapters for federal DNC, state DNC, Reassigned Number Database, and Blacklist Alliance litigator scrub all wired into the gate today. Provider implementations return 'skip' until a vendor + creds land — DNC.com, Blacklist Alliance, and Contact Center Compliance are the candidates.

• TCPA state-rule engineShipped

  Per-state JSON config covering quiet hours (8am–8pm local default; FL FTSA-strict 8am–8pm; WA / TX HB 4082; MD; OK), recording two-party consent, AI-voice disclosure (TX SB 140, CA AB 2905, FL FTSA), and per-state DNC requirements. Gate consults this matrix on every voice/SMS/RVM send.

• STOP / HELP handlingShipped

  Inbound STOP, UNSUBSCRIBE, REMOVE, QUIT, CANCEL, END are honored within seconds; future sends to that contact are blocked across all channels and a suppression_list row is written immediately.

• One-click List-UnsubscribeShipped

  RFC 8058 List-Unsubscribe-Post header on every email; one-click unsub honored within Yahoogle's 2-day requirement.

• 10DLC A2P registrationShipped

  Brand and campaign registration for SMS via Twilio. Walked through during onboarding.

• DMARC monitoringShipped

  Per-domain DMARC reports parsed; deliverability dashboard surfaces alignment failures + per-domain reputation.

• SOC 2 Type IIIn flight

  Audit period scoped for late 2026. We will not claim SOC 2 on this page or in the product until the report is in hand.

• HIPAA modePlanned

  Velora Marketing does not currently process Protected Health Information. A HIPAA-aware mode for agencies that handle PHI is on the roadmap; we will require a signed BAA before enabling it.

• GDPR / CCPA / DSAR workflowIn flight

  DSAR endpoints exist server-side. Public-facing DSAR submission flow + cookie consent banner are next.

Audit-export. Given a contactId and date range, /api/compliance/audit-export bundles every consent record, every gate decision (allow + deny), every send, and every suppression entry into one JSON payload. The agency can hand this to outside counsel inside of five minutes.

What we will not do. No outbound AI voice in v1 — TCPA-AI-voice analysis on every call. No shared phone-number pools across tenants. No 10DLC skip. No blanket-consent-to-marketing-partners UI (Jan 2025 FCC rule killed that). No B2B carve-out assumption in code — sole proprietors are consumers under TCPA, cell phones are TCPA-covered regardless of use, and the National DNC includes individual business numbers.