Security

Straight answers on security and data.

We publish what’s true today, in plain English — each claim paired with the mechanism behind it — and we’ll walk your technical person through any of it.

What’s true today

Each claim, paired with the mechanism behind it.

Encrypted in transit

TLS everywhere — every request between you, your customers, and Vorena is encrypted.

Tenant isolation

Every dashboard route resolves your account server-side (resolveClientForUser) — you only ever see your own data.

Rate limiting that fails closed

When the limiter can't confirm a request is under budget, it's denied — never waved through.

Prompt-injection guard

The widget passes our 8/8 adversarial test suite — it won't be talked out of its instructions.

AI input caps + a hard cost circuit breaker

Inputs are bounded and spend is halted before it can run away.

Hosted in the U.S.

Our infrastructure runs in U.S. regions.

Connector tokens encrypted at rest

OAuth tokens for the tools you connect are encrypted in storage.

Export anytime, deletion on request

Completed and confirmed — your data stays yours.

Role-based access

Team accounts get role-based permissions.

What we don’t claim

  • Protected health information — we don't handle it yet. Our HIPAA program (BAAs, safeguards, documented policies) is in progress; if you're a healthcare practice, talk to us and we'll tell you exactly where we stand.
  • No compliance badges we haven't been audited for. When we claim a standard, it's because we've met it.

Ask us anything specific.

Have a question we didn’t answer here? Email support@vorena-ai.com and we’ll get specific.

Partner security brief →