velsa
Security and compliance, built in from day one.
Velsa is built by Palladium Innovations, LLC — a federal-software firm with direct experience shipping under the DoD Risk Management Framework at Information Protection Levels 2 through 6. The same engineering discipline shapes Velsa.
Last updated: 31 May 2026
Compliance roadmap
Where Velsa is heading. Specific timelines firm up as we approach each milestone.
On the roadmap
SOC 2 Type II
Architecture is being built against the Trust Services Criteria from day one. Audit engagement begins post-private-beta.
By design
PCI DSS
Velsa does not directly process card data. Payment flows route through a PCI-compliant processor.
Long-term path
FedRAMP
Underlying infrastructure is built on a FedRAMP-aligned, AWS-hardened deployment, leveraging Palladium's existing federal-software experience.
Security practices
What's in place today, plus what's coming with the Enterprise tier.
In place today
- Encryption in transit — TLS 1.2+ enforced, HSTS preloaded for velsa.io domains.
- Encryption at rest — AES-256 via AWS-managed keys; database, object storage, and backups all encrypted.
- Network isolation — application and database tiers run in private subnets within an isolated VPC; no direct internet exposure of internal services.
- Backups — automated, encrypted, and retained per policy; restorable to a point in time.
- Monitoring & alerting — CloudWatch metrics and alarms across compute, database, and CDN tiers, with on-call notification.
- Role-based access control — application-level RBAC; least-privilege within the operating team.
- Secret management — no secrets in code or version control; runtime secrets via AWS-managed stores.
Coming with the Enterprise tier
- SSO via SAML and OIDC
- Deeper audit logging with configurable retention
- Customer-managed encryption keys (BYOK)
- Custom data-residency options
- Private-tenancy deployment via the Velsa Enterprise container
Data handling
Where data lives
Customer data is stored in Amazon Web Services US-East (Northern Virginia). Backup copies are encrypted and retained within the same region. Data does not leave AWS infrastructure.
What we collect
Velsa is built to manage events at venues. The product collects what's necessary to do that: contact information for attendees and counterparties, contract and booking details, financial transactions related to events, and operational data about how venues are run.
What we don't do
- We do not sell customer data.
- We do not use customer data to train AI models.
- We do not share customer data with third parties for marketing.
Retention and deletion
Data is retained for the life of your account. On account deletion, customer data is permanently removed within 30 days, except where retention is required by law or regulation.
Export
Customers can request a full export of their data at any time. Self-service export is on the roadmap.
Sub-processors
Velsa relies on the following third parties to deliver the product. This list is updated as the product evolves.
- Amazon Web Services Infrastructure, storage, compute, networking United States
Incident response
Velsa monitors infrastructure and application health continuously. In the event of a security incident:
- Detection via CloudWatch alarms, application logs, and customer reports.
- Triage by the engineering team within one business hour of detection.
- Affected customers are notified within 72 hours of confirmed incident, in line with industry best practice.
- Post-incident review documents root cause, customer impact, and corrective actions.
Responsible disclosure
If you've found a security issue in Velsa, please report it to security@velsa.io.
In scope
- The marketing site at velsa.io
- The demo environment at demo.velsa.io
- Public APIs and integrations (once published)
Out of scope
- Third-party services Velsa depends on (e.g., AWS) — report to the provider directly
- Social-engineering attacks against staff or customers
- Physical attacks against infrastructure or offices
- Findings that require an already-compromised device or network
Our commitments
- We acknowledge reports within three business days.
- We will not pursue legal action against researchers acting in good faith under this policy.
- With permission, we credit researchers in a public hall of fame once one exists.
Please don't
- Access, modify, or destroy data that isn't yours.
- Run automated scanning that disrupts service for other users.
- Publicly disclose the issue before we've had a reasonable chance to fix or mitigate.
Documents
Available now, or as Velsa matures:
- Privacy policy — how we collect, use, and protect information Published
- Terms of service — the terms under which Velsa is provided Published
- Data Processing Agreement (DPA) — available on request to privacy@velsa.io On request
- SOC 2 Type II report — available under NDA after audit completion Post-audit
- Penetration-test summary — commissioned as part of the SOC 2 engagement Post-audit
Questions?
Anything covered on this page — or anything we should add to it.
security@velsa.io