Request a demo

See Velgent in action.

We'll set up a personalised walkthrough.

Trust & Security

Secure by default.

Velgent takes a security-first approach — guardrails live inside the engine rather than bolted on afterward. Here is how we protect your data, your access, and your audit trail.

Access & authentication

  • Single sign-on via WorkOS AuthKit with MFA enforced for every administrator.
  • Step-up re-verification: sensitive actions (creating, rotating, or revoking secrets) require a fresh MFA code, not just an active session.
  • Scoped API keys with one-click rotation and a configurable grace window so cut-overs never break.
  • Short-lived OAuth2 client-credentials tokens (1-hour TTL) for service-to-service access.

Encryption & data protection

  • TLS for all data in transit, including the connection to the database.
  • Provider keys and other secrets encrypted at rest; secrets are never returned by the API once stored.
  • Strict HTTP security headers with a locked-down content-security policy.
  • Server-side validation that blocks SSRF through customer-supplied endpoint URLs (private, loopback, and cloud-metadata targets are rejected).

Tenant isolation

  • Every request is bound to a tenant whose identity is resolved at the auth boundary — callers cannot assert another tenant.
  • Tenant scoping is enforced consistently across the API, admin console, and background jobs.
  • Bring-your-own-key keeps each tenant on its own LLM provider relationship.

Auditability & monitoring

  • Durable audit log of every privileged administrative action, persisted server-side.
  • Per-call model-usage trail: what ran, on which model, at what cost.
  • A security-events feed surfaces guardrail outcomes (PII detection, prompt-injection blocks) for review.

AI-specific guardrails

  • PII detection and redaction with per-tenant profiles, including clinical PHI, applied before content reaches an LLM.
  • Prompt-injection and intent screening on inbound content, configurable fail-open or fail-closed per tenant.
  • Guardrails live inside the shared engine, so every product inherits the same trust model.

Data handling & privacy

  • Logging defaults to metadata only; raw content capture is opt-in per tenant.
  • Configurable retention with on-demand purge of stored log content.
  • You bring your own provider keys, so prompt content goes to the LLM provider you choose and control.

Infrastructure & availability

  • Hosted on Google Cloud Platform, which maintains SOC 2, ISO 27001, and physical-security certifications for the underlying infrastructure.
  • Rate limiting backed by a shared store, so limits hold across all running instances.
  • Secrets and configuration are managed outside the codebase, never committed to source control.

Compliance & documentation

We're early in our formal compliance journey. The controls described above are live in the product today, and we're glad to share our current security posture and complete your security questionnaire as part of an evaluation.

If your procurement process has specific requirements — a Data Processing Addendum, data residency, retention, or other contractual controls — get in touch and we'll work through them with you.

Talk to us about security

Evaluating Velgent for your security team? Get in touch — we'll walk your reviewers through whatever they need.