Legal

Security

Effective · 24 April 2026Last updated · 24 April 2026

The short version. We encrypt your data in transit and at rest, use least-privilege access, rely on well-audited infrastructure (Supabase on AWS, Cloudflare, Stripe), and never store your payment card details. We don't hold a SOC 2 report yet — we're a small company, we'll explain what we do instead, and we'll tell you honestly when that changes.

1. Our approach

Security is built in, not bolted on. We've designed Veyago around a short list of principles:

Collect less. The best way to protect data is not to have it. Passport and budget data for group sessions are deleted 30 days after a session ends. Payment card data is never stored by us at all.
Encrypt everything. In transit and at rest. No exceptions.
Limit access. Only the people who need production access have it, with hardware-key multi-factor authentication.
Use boring, audited infrastructure. Supabase, AWS, Cloudflare, Stripe — companies that invest far more in security than a startup our size ever could.
Be honest about what we haven't done yet.

2. Encryption

Every connection to Veyago uses modern TLS. Data sitting in our database is encrypted on disk with AES-256.

In transit. All connections between your device, our website, and our backend use TLS 1.2 or higher. HSTS is enforced on our domains via Cloudflare.

At rest. All data stored in Supabase (hosted on AWS) is encrypted at rest with AES-256. Backups are encrypted with the same standard.

3. Infrastructure

We don't run our own servers. We run on platforms with stronger security teams than any startup.

Supabase (backend, database, authentication, file storage) hosts our data on AWS eu-west-1 (Ireland, within the EEA). Supabase is SOC 2 Type 2 certified.
AWS (via Supabase) is SOC 2, ISO 27001, PCI DSS, and GDPR-aligned.
Cloudflare sits in front of our website as CDN and DDoS protection.
Stripe (PCI DSS Level 1), Apple App Store, and Google Play process all payment card data. Veyago never sees or stores raw card data.
Transactional email is sent via Resend.

4. Authentication

Passwords are hashed, tokens expire quickly, and you can sign in with Apple or Google if you prefer not to manage a password.

Authentication is handled by Supabase Auth — email/password, Sign in with Apple, and Google OAuth.
Passwords are stored as bcrypt hashes; we never see your plaintext password.
Session tokens are JWTs with a 1-hour lifetime, paired with refresh tokens that rotate on use.
Suspicious sign-in attempts trigger rate limiting and, in some cases, a verification step.

5. Application and database security

Supabase Row Level Security (RLS) is enabled on every table. Users can only read and write their own data; enforcement happens at the database layer, not just in the app.
Code review is required for every change to production code.
Dependencies are scanned continuously for known vulnerabilities and updated on a regular cadence.
Crash reports (Sentry) are scrubbed of personal data and deleted after 90 days.

6. What we store — and what we don't

We store	We never store
Your email, name, display name, profile photo	Your raw payment card number, CVV, or expiry date
Your travel preferences and swipe history	Your passport number (we only ask for nationality, per session, deleted 30 days after)
Your subscription tier and transaction IDs	Your plaintext password
Your opt-in Explorer Map data	Unencrypted backups or logs

7. Certifications — honestly

We don't have SOC 2 or ISO 27001 certification yet. Audits cost real money and take time. At our stage we've chosen to invest in security engineering directly. Here's what we do instead.

We do not currently hold a SOC 2 Type 2 or ISO 27001 report. Formal audits typically cost between €25,000 and €100,000 and take 6–12 months.

What we do today:

Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Infrastructure runs on Supabase (SOC 2 Type 2), AWS (multiple certifications), and Cloudflare — so large parts of our stack are audited even though our own company is not yet.
Least-privilege access with hardware-key MFA for everyone with production access.
Continuous dependency scanning.
Row-level security on all database tables.
Regular backups, tested restores, encrypted at rest.
A written incident response plan and a commitment to breach notification within 72 hours as required by GDPR Article 33.

On our roadmap: SOC 2 Type 1 once our team and revenue justify it. If you need a security review sooner, email hello@veyago.app and we'll send a completed CAIQ-Lite questionnaire within 5 business days.

8. Incident response and breach notification

If we experience a personal data breach, we will notify the relevant supervisory authority (Belgian Data Protection Authority as our lead) within 72 hours where the breach is likely to result in a risk to users' rights and freedoms, in line with GDPR Article 33. Where the breach is likely to result in a high risk, we'll also notify affected users directly, without undue delay, in line with Article 34.

9. Responsible disclosure

If you find a security issue, please tell us directly instead of posting it publicly. We won't threaten you, we'll fix the issue, and we'll credit you (if you want) once it's resolved.

How to report. Email hello@veyago.app with "Security" in the subject line, including: a description of the vulnerability; steps to reproduce; the potential impact; your name or handle for credit (or tell us you'd prefer to stay anonymous).

What we commit to:

We'll acknowledge your report within 3 business days.
We'll keep you updated on our progress.
We will not take legal action against researchers who follow this policy in good faith.
Once fixed, we'll publicly credit you (with your permission) on our security acknowledgements page.

In scope: veyago.app and subdomains; our iOS and Android apps; our API.

Out of scope: denial-of-service attacks; social engineering; physical attacks; vulnerabilities in third-party services (report those to the vendor); automated scanner output without a demonstrated impact.

No monetary bounty yet. We don't currently offer cash rewards. We offer public credit and genuine thanks. Please give us a reasonable window (we aim for 90 days) to fix an issue before public disclosure.

10. Your role

Security is shared. Please use a strong, unique password (or Sign in with Apple / Google), don't share your account, log out on shared devices, and email us immediately at hello@veyago.app if you suspect your account has been accessed by someone else.

11. Contact

Security questions and vulnerability reports: hello@veyago.app.