Privacy Policy
Last updated: July 11, 2026
This Privacy Policy explains what information Veritrail ("we", "us") collects when you use the Veritrail service, why we collect it, how we protect it, and the choices you have. Veritrail is a read-only, scanning-only compliance-evidence tool for engineering teams: it connects to your cloud providers (AWS, Google Cloud, Azure) and developer tools (such as GitHub, GitLab, identity providers, and vulnerability scanners) to collect configuration evidence and map it to compliance frameworks. Veritrail never modifies your environments.
Information we collect
We collect the following categories of data:
- Account & identity. Your name, email address, a securely hashed password, and — if you sign in with a provider — your GitHub, Google, or GitLab identifier. If you enable multi-factor authentication, we store the data needed to verify it.
- Workspace. Organization name, verified company domains, members, and their roles.
- Cloud & integration connection details. The credentials you authorize us to use to connect each provider — for example an AWS account ID with an IAM role ARN and external ID, a Google Cloud workload-identity or service-account configuration, an Azure subscription and app registration, and the OAuth tokens or API keys for developer tools you connect (such as GitHub, GitLab, Google Workspace, Microsoft Entra ID, Jira, and vulnerability scanners). These connection secrets are encrypted at rest.
- Scan results (configuration metadata). Using the read-only access you authorize, Veritrail collects configuration and metadata from the accounts and tools you connect — for example cloud IAM principals, policies and key usage; storage, network, database and encryption settings; audit-log metadata; source-control branch-protection and review settings; identity-provider user and MFA status; scanner findings; and the findings and evidence snapshots derived from them. Veritrail does not read the contents of your data stores (object/file contents) or the values of your secrets — only the configuration needed to evaluate posture.
- Usage & operational data. IP address, request logs, and an audit log of privileged actions taken in your workspace (e.g. connecting an account, changing settings, inviting members).
- Cookies. We use strictly necessary cookies to keep you signed in (session/refresh tokens). We do not use advertising cookies.
Why we collect it
To provide and secure the service: authenticate you, collect evidence from the accounts and tools you connect, generate findings and auditor-ready evidence, send the notifications you configure, support you, prevent abuse, and meet our legal obligations. Where required, our legal bases are performance of our contract with you and our legitimate interest in operating a secure service.
Where and how we store it
Application data and evidence data are hosted on Hetzner infrastructure in the European Union. Data is encrypted in transit (TLS) and sensitive connection details (role ARN, external ID, OAuth tokens, API keys) are encrypted at rest. Access is restricted to the systems and personnel that need it to run the service.
How long we keep it
We retain account and workspace data while your account is active and for a limited period afterward. Operational audit logs are retained for roughly twelve months. Scan results and evidence snapshots are kept so your evidence packs remain available for the relevant period. You can ask us to delete your data (see "Your rights").
Who we share it with
We do not sell your data. We share it only with service providers (subprocessors) that help us run Veritrail, under contract and only as needed:
- Cloud hosting / infrastructure — Hetzner (EU) hosts the application and database.
- The providers you connect — Veritrail uses the read-only access you authorize to reach your cloud accounts (AWS, Google Cloud, Azure) and developer tools (such as GitHub, GitLab, identity providers, ticketing, and scanners). We only access what you connect.
- Email delivery — a transactional email (SMTP) provider, used to send digests, invitations, and alerts you opt into.
We may also disclose data if required by law or to protect our rights and users.
Your rights
Depending on where you live, you may have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise any of these, email us at support@veritrail.io. We do not sell personal information.
Children
Veritrail is a business tool and is not directed to anyone under 16. We do not knowingly collect their data.
Changes to this policy
We may update this policy as the service evolves. We will revise the "Last updated" date above and, for material changes, notify you in the app or by email.
Contact
Questions? Email support@veritrail.io.