Veroxa is built to protect the most sensitive family court data. Here's how we keep your information safe.
Your data is stored in Supabase's US-East-1 (Virginia) region, hosted on AWS infrastructure. All data remains within the United States.
Our application is deployed on Vercel's global edge network with the primary compute region in IAD1 (Washington, D.C.). Vercel processes HTTP requests but does not store your application data.
Database backups are encrypted and stored in the same AWS region. Point-in-time recovery is available for the last 7 days.
In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). This includes API calls, file uploads, and real-time connections.
At Rest: Your database is encrypted at rest using AES-256 encryption provided by AWS. Supabase manages the encryption keys through AWS KMS.
Field-Level: Sensitive fields (OAuth tokens, payment identifiers) are additionally encrypted using AES-256-GCM with a dedicated application-level encryption key before storage.
Every table in Veroxa uses Supabase's Row-Level Security (RLS) policies. This means your data is isolated at the database level - not just in the application code.
Each policy includes both USING (read/delete) and WITH CHECK (insert/update) clauses, ensuring that no user can read, create, modify, or delete another user's records - even through direct API access.
Attorney and parent data are completely segregated. Shared access (e.g., case invitations) requires explicit, revocable consent from both parties.
Two-Factor Authentication (2FA): TOTP-based MFA using industry-standard authenticator apps (Google Authenticator, Authy, etc.). When enabled, login requires both password and a 6-digit verification code.
Session Management: Sessions automatically expire after 30 minutes of inactivity. Users receive a warning at 25 minutes with the option to extend. All sessions use secure, HTTP-only cookies with SameSite protection.
Password Requirements: Minimum 12 characters with uppercase, lowercase, and numeric requirements.
Rate Limiting: Authentication endpoints are limited to 5 attempts per 15 minutes. API endpoints are rate-limited. All rate limiting is enforced server-side via Redis.
Veroxa uses Stripe Elements for all payment processing. Credit card numbers, CVVs, and other cardholder data never touch Veroxa's servers.
Card information is collected directly by Stripe's PCI-DSS Level 1 certified infrastructure via secure iframes. Veroxa only stores a Stripe customer identifier (encrypted) - never raw card data.
Subscription management, billing portal, and payment method updates are all handled through Stripe's secure APIs.
While Veroxa is not a covered entity under HIPAA, we implement HIPAA-aligned security practices for all health-related information stored on the platform:
We are in active discussions with Supabase regarding a HIPAA Business Associate Agreement (BAA) and SOC 2 Type II compliance documentation. Contact us at will@getveroxa.com for our current security documentation.
Your individual case data, documents, names, and personal information are never shared with third parties and are never used to train or improve any external model or service.
All data processing happens within our secure infrastructure. We do not sell, rent, or trade your personal information. Ever.
We may analyze anonymized, aggregated usage patterns (e.g., most-used features) to improve the platform. This data contains no personally identifiable information.
Veroxa implements a strict Content Security Policy (CSP) that controls which resources can load on each page:
Additional headers include HSTS (1 year with preload), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
You have full control over your data:
To exercise any data rights, contact will@getveroxa.com. We respond within 72 hours.
We're happy to discuss our security practices, provide documentation, or answer specific compliance questions.
Contact Security Team