How Veyra handles evidence, insurance, sub-processors, disclosures, and incidents.
Five rules. Each one is a sentence the next reviewer can verify. Where a rule has a number — a retention window, a notification SLA, a credential lifetime — the number is stated, not implied.
- 01
Evidence handling
Retention · Deletion · CustodyRaw evidence collected during an engagement — request/response captures, screenshots, terminal logs, intermediate notes — is retained for one year from delivery. Final reports are retained for three years. Test credentials issued to Veyra are deleted within seven days of final delivery.
Engagement data is processed only on Veyra-managed infrastructure. Evidence is encrypted at rest and in transit. Custody of every evidence artifact is logged in the engagement audit table.
Raw evidence retention1 year from final deliveryFinal report retention3 years; shorter on written client requestTest credential deletionWithin 7 days of final deliveryEncryption at restAES-256 (cloud-managed keys, vendor HSM)Encryption in transitTLS 1.2+ enforced; HSTS on all client-facing surfaces - 02
Insurance
E&O · Cyber · GLErrors and omissions, cyber liability, and general liability insurance are required before external commercial delivery. Current carrier and limits are disclosed on request, in writing, to the named procurement contact at the engaging client.
Certificates of insurance are issued on request as part of vendor onboarding and are not posted publicly.
E&O / Professional liabilityRequired prior to first commercial deliveryCyber liabilityRequired prior to first commercial deliveryGeneral liabilityRequired prior to first commercial deliveryDisclosureCarrier and limits on written request - 03
Sub-processors
Personnel · Reviewers · VendorsEngagement data is processed only by Veyra personnel and the named independent technical reviewer documented in the report. Sub-processors, when added, are disclosed to clients in writing before use, with the data category, the purpose, and the contractual basis stated.
Veyra maintains a current sub-processor list available to clients on request. Material additions are notified to existing engaged clients before the new sub-processor is given access.
- 04
Security disclosures
security@veyrasecurity.ioReports of security issues affecting Veyra infrastructure may be sent to security@veyrasecurity.io. Acknowledgement is sent within one business day. The reporter is updated on triage and remediation status; coordinated disclosure is the default.
The PGP key for security@veyrasecurity.io is published below. Reports submitted in plaintext are accepted but encrypted submission is preferred.
- 05
Incident response
SOW-defined timelinesWhere an incident affects client data, clients are notified within the timelines stated in the engagement Statement of Work. The notification names what occurred, the data category affected, the time window, the remediation status, and the named Veyra incident contact.
Incident timelines are not a default — they are negotiated per engagement and written into the SOW. The minimum standard Veyra contracts to is 72 hours for a confirmed incident affecting client data.
PGP key for security@veyrasecurity.io
Submissions encrypted to this key are received by the Veyra security team. The fingerprint is published here so a reporter can verify the key out-of-band before sending sensitive material.
Fingerprint: A7F3 2B4D 8E1C 9F0A 5D6B 4F2A 9C8E 1B6D 3A7F
uid Veyra Security <security@veyrasecurity.io>
sub cv25519/0x9D4B7E2A6C1F8B0D 2026-02-12 [E]
Read a redacted sample report, or describe the system you want assessed.
Engagement requests receive a reply from a named assessor within one business day.