Legal

Security

Last updated: April 2026

Your training data is sensitive. We treat it that way. This page outlines the technical and organisational measures we use to protect your information.

Authentication

• All accounts are authenticated via Supabase Auth with industry-standard JWT tokens
• Passwords are hashed using bcrypt — we never store plaintext credentials
• Sessions expire automatically and are invalidated on sign-out
• Third-party platform connections (Garmin, Strava) use OAuth 2.0 where available; credentials are encrypted at rest where direct auth is required

Data in transit

• All traffic between your device and Vela servers is encrypted via TLS 1.2 or higher
• API endpoints enforce HTTPS — HTTP requests are rejected
• CORS policies restrict API access to authorised origins only

Data at rest

• Database encryption at rest via Supabase (PostgreSQL with AES-256)
• Third-party credentials stored in encrypted environment variables, never in source code
• Backups are encrypted and retained for 7 days

Infrastructure

• Frontend hosted on Vercel with automatic DDoS protection and edge security
• Backend hosted on Railway with isolated container environments
• Database on Supabase (EU region) with row-level security policies
• No production credentials are stored in version control

Responsible disclosure

If you discover a security vulnerability in Vela, please report it to security@vela.fit. We will respond within 48 hours, investigate promptly, and keep you informed of the outcome. We do not take legal action against researchers who report vulnerabilities in good faith.

Security is a continuous process. We review and update our practices regularly. Last full security review: April 2026.