Legal

Privacy Policy

Draft under legal review.

Draft — under legal review. This Privacy Policy has not been finalized. Do not use VellumGuard for regulated production data, PHI, or customer-sensitive production workloads unless separately agreed in writing with VellumGuard. VellumGuard is not currently SOC 2 certified, is not currently HIPAA compliant, and no Business Associate Agreement (BAA) is currently available.

VellumGuard is currently in private beta / design-partner access. A complete Privacy Policy will be published at this URL before any public or commercial launch. The notes below describe our current data practices as they stand during beta.

What data we collect

What we do not collect

How data is stored

Data is stored in Google Cloud SQL (Postgres) in us-east1. Automated daily backups are retained according to Cloud SQL defaults. EU data residency is not currently available.

Data sharing

We do not sell data. During beta, data is processed by VellumGuard and its infrastructure providers (Google Cloud). A sub-processor list will be published with the final Privacy Policy.

Beta data-use restriction

During the private beta, do not send PHI, PCI card data, or other regulated personal data through the VellumGuard API without a separate written data-handling agreement. Contact beta@vellumguard.com before sending regulated data.

Contact

Privacy questions: beta@vellumguard.com

Last updated: draft — not finalized. Version will be stamped when legal review is complete.