Partner security brief

Vorena security, for your team

One page, plain English, for the person who vets your tools. Every claim below is paired with the mechanism behind it, and we’ll walk a technical reviewer through any of it on a call. We publish only what’s true today — each claim provable.

What’s true today

Encrypted in transit

TLS everywhere — every request between you, your customers, and Vorena is encrypted.

Tenant isolation

Every dashboard route resolves your account server-side (resolveClientForUser) — you only ever see your own data.

Rate limiting that fails closed

When the limiter can't confirm a request is under budget, it's denied — never waved through.

Prompt-injection guard

The widget passes our 8/8 adversarial test suite — it won't be talked out of its instructions.

AI input caps + a hard cost circuit breaker

Inputs are bounded and spend is halted before it can run away.

Hosted in the U.S.

Our infrastructure runs in U.S. regions.

Connector tokens encrypted at rest

OAuth tokens for the tools you connect are encrypted in storage.

Export anytime, deletion on request

Completed and confirmed — your data stays yours.

Role-based access

Team accounts get role-based permissions.

What we don’t claim

Protected health information — we don't handle it yet. Our HIPAA program (BAAs, safeguards, documented policies) is in progress; if you're a healthcare practice, talk to us and we'll tell you exactly where we stand.
No compliance badges we haven't been audited for. When we claim a standard, it's because we've met it.

Questions for your reviewer? support@vorena-ai.com · Full detail at vorena-ai.com/security
Tip: Cmd/Ctrl+P to save this page as a one-page PDF.