Skip to content
Velo.

Security

How I store, protect, and delete your data.

Velo handles contracts, invoices, and client records. Here is exactly how that data is stored, transmitted, accessed, and deleted, plain English.

What Velo handles

Proposals & contracts

Line items, totals, approval logs.

Project data

Milestones, deliverables, status.

Invoices & payments

Issued invoices, paid status. Never card numbers.

Your data belongs to you

You own everything you put into Velo: proposals, invoices, project history, client records, time entries. I don't use your data for any purpose other than running the platform you signed up for. No training, no third-party analytics on the contents of your work, no sale to advertisers.

You can export all your proposals, invoices, and client records as CSV at any time from your account settings. Your data is never locked in.

If you delete your account, every record I hold for you is permanently removed within 30 days. That includes backups and the identifier I use to link your records together.

How client approvals work

Every shared proposal is reached through a unique, cryptographic share token tied to that one proposal. The link can't be guessed or reused on another record, and abuse is rate-limited at the edge.

Clients now sign in to a free Velo account to view and approve, so every approval is logged against a verified email address with a timestamp. That trail is consistent with Australia's Electronic Transactions Act 1999. For high-value engagements I still recommend a separate signed contract.

Velo is designed for use under Australian law. If you are outside Australia, please review the terms carefully before signing up.

How I protect your data

All data is encrypted in transit using TLS and encrypted at rest. Backups run automatically.

Connections to Velo run over TLS, so every byte of data in transit between your browser and the servers is encrypted. At rest, your records live in an encrypted serverless database in Australia with disk-level encryption.

The application itself runs on a serverless hosting platform, fronted by a dedicated authentication provider. Session tokens are HttpOnly cookies, scoped to the Velo domain, with the standard set of CSRF and SameSite protections.

Payments

Velo never stores card or bank details. Stripe handles all payment processing end-to-end.

Clients pay invoices by card through Stripe Checkout directly on the share link. Card numbers go from the client's browser straight to Stripe. Velo only ever sees the resulting status (paid, refunded, disputed).

For clients who prefer bank transfer, your invoice PDF still includes your bank details as a fallback.

Account deletion

You can delete your account from Settings at any time. Deletion purges your records from the database and your auth provider, and all associated data is permanently removed within 30 days. I don't hold a shadow copy.

If you'd rather pause than delete, every plan has a free trial that pauses your workspace without losing any data. Pick up where you left off whenever you come back.

Reporting an issue

Found a security bug? Email jaineelk.dev@gmail.com with the details and a way to reach you. Don't share specifics on public channels until I've had a chance to fix the issue and tell the affected users.

On the roadmap

What I don't do yet.

Standards-level security work that is on the build queue. I'm shipping these in order before public launch.

  • Independent third-party security audit
  • Two-factor authentication for agency accounts
  • SOC 2 Type II certification
  • Single sign-on (SSO)

Want the full picture?

Read the Privacy Policy.

The Privacy Policy and Terms of Service cover the full legal language. The summary on this page is the spirit of it.

Australian privacy law applies. If you're outside Australia, please read the policy carefully before signing up.

Read Privacy PolicyRead Terms of Service