Trust & Security
This overview summarizes intentional engineering safeguards in Veracrew. Formal certifications referenced here are limited to attestations Veracrew has actually completed—you will not find overclaims beyond what shipped product behavior supports.
Security architecture overview
Veracrew is a multitenant SaaS application built on Next.js with server-side orchestration touching managed PostgreSQL, authenticated storage for documents, Stripe for billing webhooks, and integrated observability hooks. Tenant boundaries are modeled at the application layer with transactional consistency guarantees from the database provider.
Authentication & access control
Veracrew issues signed sessions backed by hashed credentials for password users and leverages OAuth where applicable. Sensitive roles enroll time-based MFA with backup codes to reduce account takeover blast radius. Access within an organization honors role-aware checks so workers only reach data required for assignments.
Data protection & files
Encryption in transit is enforced through HTTPS interactions. Database and object-storage encryption rely on managed infrastructure defaults documented by our vendors. Sensitive uploads funnel through authenticated flows and download via ephemeral signed URLs to avoid permanent public CDN exposure.
Monitoring & reliability
Application errors stream to Sentry-compatible collectors; PostHog captures product analytics with masking tuned for privacy. Background jobs (including Stripe billing webhooks) raise operational alerts so teams can remediate failed payments or dispatch logic quickly.
Compliance positioning
Veracrew executes security reviews, dependency hygiene, and least-privilege access patterns consistent with SOC 2-style operating procedures. We do not market completed SOC 2 Type II reports until we have them in hand. Privacy expectations line up with the separate Privacy Policy and processor inventory.
Security inquiries
For security-sensitive reports, contact your Veracrew account owner or forward details through the same onboarding email used for billing and support. Please avoid sharing active credentials in email; we will coordinate secure channels when necessary.
Frequently asked security questions
Straight answers referencing how Veracrew currently operates—not aspirational roadmap marketing.