Security at Valiro
Last updated: April 2026
We take the security of your data seriously. Learn about the measures we implement to keep your projects and information safe.
Our Security Practices
Data Encryption
All data transmitted to and from Valiro is encrypted using TLS 1.3, the latest and most secure transport layer protocol. Data stored in our systems is encrypted at rest using AES-256 encryption, an industry-standard encryption method used by financial institutions and government agencies.
Authentication & Access Control
User authentication is handled directly by the Valiro backend, which issues short-lived JWT tokens. We support:
- Secure password policies with complexity requirements
- Multi-factor authentication (MFA) for additional security
- Session management with automatic timeout
- Role-based access control (RBAC) to limit data access
Our role-based system ensures that staff users have access to project management features, while frontline employees only see the projects and tasks they are assigned to.
Infrastructure Security
Valiro is built on a modern, secure infrastructure:
- Cloudflare: Provides DDoS protection, Web Application Firewall (WAF), and SSL/TLS termination for our static assets and web application.
- Convex: Our backend database and serverless functions run on Convex’s secure, managed infrastructure with built-in data isolation.
AI Data Handling
Our AI features are powered by Google Gemini with EU data residency. This means:
- AI queries are processed within the European Union
- Your document content used for AI context remains in EU infrastructure
- AI interactions are not used to train external models
- You control which documents are accessible to AI features through context scoping
Analytics Privacy
We use Umami for website analytics, self-hosted on our own domain within the EU. Umami is cookie-free, does not collect personal data, and is never shared with third parties. You can learn more in our Privacy Policy.
Compliance & Standards
As an EU-based company, we are committed to compliance with:
- GDPR: Full compliance with the General Data Protection Regulation, including data subject rights, lawful processing, and data protection by design.
- Data Localization: EU data residency options for analytics and AI processing to meet data sovereignty requirements.
Incident Response
We maintain an incident response plan to address potential security events:
- 24/7 automated monitoring for security anomalies
- Defined escalation procedures for security incidents
- Commitment to notify affected customers within 72 hours as required by GDPR
- Post-incident analysis and remediation
Security Updates
We regularly update our systems and dependencies to address security vulnerabilities. Our development practices include:
- Regular dependency audits and updates
- Code review for all changes
- Automated security scanning in our CI/CD pipeline
Reporting Security Issues
If you discover a security vulnerability, please report it to us immediately. We appreciate responsible disclosure and will work with you to address the issue.
Security Contact: Email: info@valiro.ai Please include “Security” in the subject line.
Security questions, in plain language
How we host, what we encrypt and what happens to the documents you upload.
Where does my data live?
Exclusively on servers in the European Union. All Valiro data — projects, documents, AI embeddings, time entries — is processed and stored inside the EU. We never replicate to third-country regions, and our backups stay inside the same residency boundary.
How is my data protected in transit and at rest?
TLS 1.2+ for everything you send to or receive from the platform. AES-256 encryption at rest for the database and object storage. Documents you upload are encrypted before they reach the storage layer; access requires authenticated API tokens scoped to your tenant.
Which AI models does Valiro use?
A mix of European language models (Mistral, Aleph Alpha) for confidentiality-critical tasks and selected OpenAI / Anthropic models for complex reasoning. All inference runs through EU endpoints with no training on your data. You can constrain the model selection per workspace in the Enterprise plan.
What happens to documents I upload?
Uploaded documents are indexed for the AI workspace and stored within your tenant. They are never shared across tenants, never used to train models, and can be deleted permanently at any time. You retain full ownership.