Evidence first. Controlled side effects.
Trust isn't a feature we bolt on. It's the architecture. Every layer of Verachi is built around strict data isolation, conservative defaults, and complete transparency.
How we protect your data.
Multi-tenant by design
Every workspace is isolated at the database level using Postgres Row-Level Security (RLS). Your data never co-mingles with another workspace's — not in queries, not in caches, not in backups.
- Row-Level Security enforced on every database query
- Workspace-scoped API keys and sessions
- Isolated search indexes per workspace
Protected at every layer
Data is encrypted at rest and in transit. Integration credentials are stored with an additional layer of application-level encryption beyond the database.
- AES-256 encryption at rest
- TLS 1.3 for all data in transit
- OAuth tokens encrypted with per-workspace keys
Insight, not surveillance
Verachi captures decisions and context. We have no concept of employee productivity, keystrokes, or individual performance metrics. There are no manager dashboards comparing team members.
- No productivity tracking of any kind
- No individual performance scoring
- No data sold to third parties
What we access — and what we don't.
Verachi requests the minimum OAuth scopes needed. Here's exactly what each integration accesses.
| Integration | What we read | What we write | What we never access |
|---|---|---|---|
| Slack | Messages in channels the bot is invited to; thread replies; reactions | Messages posted by the Verachi bot (only when triggered) | DMs, private channels (unless bot is explicitly invited), file uploads, user presence |
| Jira | Issue titles, descriptions, comments, status changes, project metadata | Labels or comments (only via configured rules, reviewable in audit log) | Tempo logs, personal boards, sprint velocity, individual workload |
| GitHub | PR titles, descriptions, review comments, issue discussions | None by default; optional PR comments via configured rules | Source code contents, commit diffs, CI/CD secrets, Actions logs |
Conservative write-backs.
Verachi reads far more than it writes. When we do act on your behalf, every action follows these rules.
Explicit
You initiate the action, or a workspace admin configures the automation rule. Verachi never writes to your tools without a clear trigger.
Reviewable
Every external write is logged in a user-visible audit trail. Any workspace member can see what Verachi did, when, and why.
Reversible
Write-backs are designed to be non-destructive. Labels added, comments posted — never edits to existing content, never deletions.
User-visible audit trail
Every action Verachi takes — every data sync, every write-back, every AI-generated summary — is recorded in an audit log accessible to all workspace members. There are no hidden operations. You see exactly what we see.
Standards and certifications.
SOC 2 Type II
We are currently pursuing SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.
Data residency
Enterprise customers can choose data residency in the US, EU, or Asia-Pacific regions. Contact sales to discuss your requirements.
Questions about security?
We're happy to walk through our architecture, answer your security questionnaire, or set up a call with our engineering team.