Security & trust
Veyra is built for production code. Every run is sandboxed, every action is logged, and every secret stays encrypted.
Execution sandbox
- Each run executes in an isolated, ephemeral container.
- Filesystem is scoped to the project workspace; no host paths are reachable.
- Outbound network is allow-listed per workspace policy.
Secrets
Secrets are encrypted at rest with per-workspace KMS keys and only decrypted inside the run sandbox. They are never visible to model providers.
Compliance posture
| Standard | Status |
|---|---|
| SOC 2 Type II | Certified |
| ISO 27001 | Certified |
| GDPR | Compliant — EU data residency available on Enterprise |
| HIPAA | Available with BAA on Enterprise |
Auditability
- Every tool call, model call and file diff is recorded as an immutable trace.
- Traces export to S3, GCS or your SIEM via the audit webhook.
- Workspace admins can replay any historical run.
Reporting a vulnerability
Email
security@veyra.ai. We respond within one business day and run a coordinated disclosure program.