A governance tool must not create new exposure.
Veytrio exists to reduce AI risk, so the bar for our own security is the whole point. Here is exactly what we capture, how it's protected, and what we'll put in writing.
- Redaction before storage
- Tenant-scoped RBAC
- TLS in transit · encrypted at rest
- DPA available for pilots
From prompt to governed event.
Three stages, designed so sensitive content is minimised before anything is stored.
Capture
A lightweight browser extension detects supported AI tools — ChatGPT, Claude, Gemini, Microsoft Copilot — and captures governance-relevant activity. No endpoint agent, no network changes.
Redact & structure
Sensitive fields — names, emails, account numbers, credentials — are detected and redacted before storage or review. Activity becomes structured, reviewable governance events.
Tenant-scoped review
Events land in your organisation's tenant-scoped store. Only your authorised reviewers see them, through role-based access in the governance console.
What we capture — and what we don't.
Veytrio focuses on governance-relevant metadata and risk signals, not on collecting raw content.
Captured
- Which AI tool was used, and when
- Governance-relevant metadata and risk signals
- Redacted activity summaries — after sensitive fields are removed
- Risk categories and severity
- Review status and audit history
Out of scope by design
- Sensitive-field content — redacted before storage or review
- Activity outside supported AI tools
- Data from your internal systems beyond AI interactions
- Automated decisions about people — every action stays with your reviewers
The controls behind the console.
Security controls that apply to every plan, on every deployment.
Encryption
Data is encrypted in transit (TLS) and at rest.
Role-based, tenant-scoped access
Every organisation's data is tenant-scoped and separated. Access within your organisation is role-based.
Audit trail
Administrative actions are recorded in an audit history that authorised users can review.
Redaction before storage
Sensitive fields are detected and redacted before storage or review — not after.
Configurable retention
Retention windows are configured per organisation and agreed during onboarding.
Signed integrations
Webhook deliveries to your systems are signed with HMAC-SHA256, so you can verify every event came from Veytrio.
Data residency, DPA & sub-processors
Hosting and data residency are confirmed during onboarding, based on the deployment configuration agreed with your organisation. A Data Processing Agreement (DPA) is available for pilots.
Current core sub-processors: Vercel (web hosting), Render (application hosting), and Resend (email delivery). The full list for your deployment is confirmed as part of the DPA.
Certifications — honestly
Veytrio is designed against the control areas of ISO 27001 and SOC 2, and maps governance activity to GDPR, NIST AI RMF, and the EU AI Act. We do not yet hold formal certifications, and we won’t claim any until we do.
We’re happy to complete your security questionnaire and walk through the architecture with your security team on a call.
Responsible disclosure
Found a vulnerability? Report it privately and we’ll respond promptly.
Want the detail in writing?
Request a pilot and we'll walk through data handling with your security team, complete your questionnaire, and provide a DPA.