Security

Last updated: 4 May 2026

Security posture

Verityx is designed for organisations that handle sensitive vendor and delivery data. Our security controls reflect the expectations of enterprise procurement, IT governance, and legal teams. This page summarises our current security posture and the controls we maintain.

Read-only access model

Verityx connects to your project management and source control systems using read-only API credentials or OAuth scopes. The platform cannot create, modify, or delete any data in your systems. Specifically:

✓Cannot modify user stories, tasks, or work items

✓Cannot push commits, create branches, or merge pull requests

✓Cannot alter test results, test plans, or test configurations

✓Cannot trigger deployments or modify deployment pipelines

✓Cannot access source code content — only commit metadata (author, date, message, files changed)

Tenant isolation

Each client engagement operates within a logically isolated tenant. Isolation controls include:

✓Separate database schemas per tenant — no shared tables

✓Tenant-scoped API authentication — credentials cannot access other tenants

✓No cross-tenant data queries, joins, or aggregations

✓Audit logs are tenant-scoped and not accessible to other clients

Encryption

In transit: All data is transmitted over TLS 1.2 or higher. API endpoints enforce HTTPS. No plaintext connections are accepted.

At rest: Audit data is encrypted at rest using AES-256 encryption via the infrastructure provider's managed encryption service.

Data retention and deletion

Default retention period is 90 days after the final report is generated. Retention is configurable per engagement. Clients may request immediate deletion of all audit data at any time. Deletion requests are processed within 48 hours and confirmed in writing.

Infrastructure

Verityx runs on managed cloud infrastructure with the following characteristics:

✓Hosted in European data centres (UK / EU region)

✓Managed database with automated backups and point-in-time recovery

✓Infrastructure-as-code deployment with version-controlled configurations

✓No direct server access — all administration via authenticated management plane

SOC 2 Type II

Verityx is pursuing SOC 2 Type II certification. Current controls are mapped to the Trust Services Criteria framework across security, availability, and confidentiality. We expect to complete the observation period and receive our report in Q3 2026. Prospective clients may request a summary of current controls mapped to TSC criteria.

Responsible disclosure

If you believe you have found a security vulnerability in Verityx, please report it to security@verityx.io. We will acknowledge receipt within 24 hours and provide an initial assessment within 5 working days.

Contact

For security questions or to request a controls summary: security@verityx.io