Regulatory Alignment
Veristrom is designed to help organizations align with key regulatory frameworks:
| Regulation | How Veristrom Supports Compliance |
|---|
| GDPR | Client-side PII detection enforces data minimization. User consent workflow ensures no personal data is transmitted without explicit approval. Users can delete their account and all associated data. |
| CCPA | Users have full visibility into what data is being processed. Account deletion removes all stored data. No data is sold or shared for advertising purposes. |
| HIPAA | PHI detection rules identify health-related PII before it reaches AI models. Client-side scanning ensures PHI never leaves the browser without user approval. Enterprise tier supports BAA requirements. |
| SOC 2 | Cloud infrastructure provides the foundation for SOC 2 alignment. Access controls, audit logging, and encryption support Trust Services Criteria. |
Veristrom is not currently SOC 2 certified or HIPAA certified. The platform is designed with these frameworks in mind and supports organizations in meeting their own compliance obligations. Enterprise customers requiring formal certifications should contact
[email protected].
Data Protection
All data is encrypted at rest and in transit. User chat messages, AI responses, and uploaded files are stored in fully managed, encrypted cloud databases and storage. All API communication uses TLS 1.2+.
| Layer | Protection |
|---|
| Data at rest | AES-256 server-side encryption for all databases and file storage |
| Data in transit | TLS 1.2+ for all API and CDN traffic |
| File uploads | Encrypted cloud storage with per-user key isolation |
| Sensitive fields | Application-level encryption using per-user encryption keys backed by hardware security modules |
Each user's files are stored in isolated storage paths. File metadata (names, types) is encrypted at the application level using per-user encryption keys, ensuring that even internal access to the database does not expose file names.
Infrastructure
Veristrom runs entirely on enterprise-grade cloud infrastructure hosted in US-based data centers.
| Component | Capability |
|---|
| Compute | Serverless architecture — no persistent servers to patch or maintain |
| API layer | Managed API gateway with rate limiting and throttling |
| Database | Fully managed, encrypted database |
| File storage | Encrypted private cloud storage with access controls |
| Key management | Hardware security module-backed key management service |
| CDN | Enterprise CDN with DDoS protection (static assets only) |
The serverless architecture means there are no persistent servers to patch or maintain. Each API request runs in an isolated execution environment that is destroyed after use.
PII Detection & Client-Side Scanning
Veristrom's core privacy feature is its client-side PII detection engine. Before any user message or file is sent to an AI model, the content is scanned locally in the user's browser for sensitive information.
- 100+ detection rules with hundreds of pattern checks covering names, emails, phone numbers, national IDs, financial identifiers, government IDs, medical records, credentials, and more
- Client-side execution — scanning happens in the browser, not on a server. Sensitive data never leaves the user's device unless explicitly approved
- User consent workflow — detected PII is shown to the user with options to redact, approve, or cancel. No silent redaction or data suppression
- Checksum validation — structured identifiers are validated using mathematical checksums to reduce false positives
- Context-aware detection — intelligent pattern matching identifies names, company names, and other contextual PII that simple pattern matching would miss
Key principle: Veristrom does not read, log, or store the content of PII detections. The detection engine runs entirely in the user's browser. The server only receives the message after the user has reviewed and approved it.
Access Controls & Authentication
- Social sign-in — Primary authentication via verified email through trusted identity providers
- Guest access — Email-based one-time password authentication for users without social sign-in accounts
- Signed session tokens — Cryptographically signed session tokens with configurable expiry (1hr, 4hr, 8hr)
- Rate limiting — API rate limits to prevent abuse and brute-force attempts
- Input validation — All API inputs validated and sanitized server-side to prevent injection attacks
- Content sanitization — User-submitted text is stripped of potentially malicious markup and code
Data Isolation
Veristrom uses a customer data silo approach. Each user's data is logically isolated:
- Database isolation — All records are keyed by user identity. No cross-user data access is possible through the API
- File isolation — File storage paths are scoped to each user, ensuring files cannot be accessed by other users
- Team boundaries — Team features enforce membership checks. Only team owners can invite or remove members
- Encryption isolation — Per-user encryption keys mean that even if raw database records were accessed, file metadata remains encrypted with user-specific keys
AI Model Data Handling
Veristrom connects to third-party AI models via their enterprise-grade APIs. Important data handling details:
- Enterprise API access — All AI providers are accessed via their enterprise API tier, which typically excludes user data from model training
- No persistent storage — Veristrom does not cache or store AI model responses beyond what is saved in the user's chat history
- Pre-transmission scanning — Users can review and redact sensitive content before it is sent to any AI provider
- Model selection transparency — Users choose which AI model to use and can see which model generated each response
Veristrom acts as a protective layer between users and AI models. We do not control the data handling policies of third-party AI providers. Users should review each provider's terms of service and data processing agreements for their specific compliance needs.
Security Practices
- Dependency management — Regular review and update of third-party dependencies
- Input sanitization — All user inputs validated and sanitized to prevent injection attacks
- No secrets in code — All API keys and secrets stored in a secure secrets management service, not in code
- HTTPS everywhere — All endpoints enforce HTTPS
- Origin-restricted API access — API restricted to authorized origins only
Questions?
For security inquiries, compliance documentation requests, or to discuss Enterprise requirements, contact us at [email protected].