VeloDB Security Addendum
Effective Date: June 15, 2026
Last Updated: June 15, 2026
This Security Addendum describes the technical and organizational measures VeloDB maintains to protect Customer Data and Customer Personal Data in connection with the Services. It supplements the VeloDB General Terms and Conditions, Data Processing Addendum, applicable Order Form, product addendum and any security exhibit that expressly incorporates it.
This Security Addendum applies to VeloDB-controlled components of the Services. Certain responsibilities differ by service model, deployment configuration, cloud provider, region, feature and customer-selected settings. If an Order Form, Data Processing Addendum, product addendum or signed security exhibit states a more specific requirement for the same subject matter, that more specific requirement controls to the extent of the conflict.
VeloDB may update this Security Addendum from time to time, provided that updates will not materially diminish the overall level of protection for Customer Personal Data during an active Services term.
1. Security Program
VeloDB maintains a written information security program appropriate to the nature of the Services and the risks associated with Processing Customer Data. The program is designed to protect the confidentiality, integrity and availability of Customer Data and to reduce the risk of unauthorized access, disclosure, alteration, loss or destruction.
The security program includes governance, risk management, access control, secure development, vulnerability management, change management, logging, monitoring, incident response, business continuity, vendor management, personnel security and privacy controls.
2. Governance, Policies and Assurance
VeloDB maintains policies and procedures addressing information security, privacy, access control, incident response, vendor management, change management, business continuity and related operational controls. VeloDB assigns responsibility for security program oversight and evaluates material risks to systems used to provide the Services.
VeloDB's public Compliance and Trust materials identify SOC 2 Type II and ISO/IEC 27001:2022 as available trust materials through VeloDB's approved trust process. Reports, certificates, bridge letters, control mappings, penetration-test summaries and similar assurance materials may be made available through VeloDB's Trust Center, account team or another approved diligence channel, subject to confidentiality, security, legal, sharing and retention restrictions.
Public security documentation, Trust Center materials, questionnaires, control mappings, architecture materials and other diligence materials support transparency and customer review. They do not modify the Agreement, Data Processing Addendum, this Security Addendum, an Order Form or an approved exhibit unless expressly incorporated.
3. Personnel Security and Confidentiality
VeloDB personnel authorized to access Customer Data are subject to confidentiality obligations appropriate to their role. VeloDB provides security and privacy awareness appropriate to personnel responsibilities and maintains onboarding, access modification and offboarding processes for personnel with access to relevant systems.
VeloDB limits personnel access to Customer Data and relevant systems to authorized personnel with a business need related to providing, operating, supporting, securing or improving the Services.
4. Access Control and Privileged Access
VeloDB maintains logical access controls designed to limit access to systems Processing Customer Data based on job responsibility, least privilege and need to know. Administrative access is restricted to authorized personnel and is subject to authentication, authorization, logging, review or other controls appropriate to risk.
Where supported by the relevant system, VeloDB uses multi-factor authentication or equivalent controls for privileged or administrative access. VeloDB periodically reviews access to relevant systems and revokes access when it is no longer required.
Customer is responsible for Customer-controlled accounts, credentials, identity providers, console users, database users, roles, permissions, network exposure, allowlists, key material, customer-managed integrations and Customer cloud account configurations.
5. Encryption and Key Management
VeloDB protects Customer Data transmitted over public networks using industry-standard encryption or another appropriate safeguard. VeloDB uses encryption at rest for Customer Data stored in VeloDB-controlled production systems where appropriate to the nature and risk of the Processing.
VeloDB's public encryption documentation describes cloud-platform storage and disk encryption, optional warehouse-layer transparent data encryption where supported, customer-managed key options for AWS enhanced encryption, infrastructure-layer encryption on private cloud paths and HTTPS for object-storage load and export workflows.
VeloDB maintains controls for credentials, keys and secrets used to access VeloDB-controlled systems. Each party remains responsible for keys, credentials, secrets and cloud-provider controls under its control. Customer-managed key deletion, disablement or misconfiguration may affect Service operation.
6. Network and Infrastructure Security
VeloDB maintains controls designed to protect VeloDB-controlled production systems from unauthorized network access. These controls may include segmentation, endpoint controls, private connectivity options, IP allowlist options, restricted administrative pathways and monitoring appropriate to the relevant service model.
For VeloDB Cloud, VeloDB is responsible for VeloDB-controlled cloud infrastructure and service components used to provide the hosted Services, subject to the Agreement, Order Form and applicable service configuration.
For customer-controlled or bring-your-own-cloud environments, Customer owns the Customer cloud account, VPC or VNet, provisioned resources, identity and key material, network exposure, cloud-provider guardrails, infrastructure-layer logging and cloud-provider audit evidence. VeloDB operates the warehouse software, control plane, orchestration agent and scoped cloud access used to provision and run warehouse resources under the supported model.
7. BYOC Shared Responsibility
VeloDB's BYOC model is based on shared responsibility. Public BYOC documentation states that warehouse compute and customer warehouse storage are deployed in Customer's cloud account, while VeloDB-controlled control-plane and operational records are handled under the applicable Agreement, Data Processing Addendum, Security Addendum, service documentation, support materials and Subprocessor terms.
Customer is responsible for:
- selecting and maintaining the Customer cloud account, region, network, security groups, private endpoints, quotas and account guardrails;
- creating, approving, monitoring and revoking cloud access paths such as cross-account roles, service accounts, managed identities, data credentials or equivalent mechanisms;
- managing customer-owned storage, backups, object-storage lifecycle settings, keys, secrets, certificates and infrastructure logs;
- avoiding unsupported direct changes to VeloDB-created resources; and
- exporting, retaining, deleting, deprovisioning and preserving evidence for Customer-controlled resources during offboarding.
VeloDB is responsible for:
- developing, operating, maintaining, monitoring and supporting the VeloDB warehouse software and VeloDB-controlled service components;
- using scoped cloud access only for authorized provisioning, operation, support, incident response and offboarding purposes;
- maintaining VeloDB-controlled service logs, audit records and assurance materials subject to applicable security restrictions; and
- handling Customer Personal Data in VeloDB or Subprocessor possession or control under the Data Processing Addendum and this Security Addendum.
8. Logging, Monitoring, Auditability and Telemetry
VeloDB maintains logging and monitoring controls appropriate to detecting security events, supporting investigation, troubleshooting, service reliability and incident response for VeloDB-controlled systems. Access to logs containing Customer Data is limited to authorized purposes and personnel.
VeloDB's public audit logging documentation describes organization activity logs, SQL audit logging, console query audit views, Log Explorer capabilities and infrastructure-event boundaries. SQL audit records, query text, query profiles, query history, support records, diagnostic bundles and similar records may constitute Customer Personal Data where they identify or can be linked to individuals.
For BYOC Services, infrastructure-layer cloud-provider logs and audit evidence in Customer's cloud account are Customer-owned evidence. VeloDB-controlled telemetry, operational metadata, support records and diagnostic records are handled according to the Agreement, Data Processing Addendum, this Security Addendum, service configuration, support workflow and applicable retention practices.
9. Vulnerability Management, Secure Development and Change Management
VeloDB maintains processes designed to identify, assess, prioritize, track, remediate or mitigate material vulnerabilities in VeloDB-controlled systems used to provide the Services. VeloDB prioritizes vulnerabilities based on severity and contextual risk, including exploitability, exposure, affected service scope, customer impact, patch availability and available compensating controls.
Remediation may include patching, configuration changes, workarounds, compensating controls or other risk-reduction measures appropriate to the vulnerability. Unless stated in an applicable Order Form or approved security exhibit, this Security Addendum does not state a fixed remediation-day SLA matrix for every vulnerability source or severity level.
VeloDB maintains secure development and release-management processes designed to review, test and deploy changes to the Services in a controlled manner. VeloDB may conduct or obtain penetration tests, security assessments or similar reviews for relevant Services. Approved summaries or evidence may be made available through VeloDB's trust or diligence process subject to confidentiality, security and legal restrictions.
10. Vendor and Subprocessor Management
VeloDB maintains a risk-based vendor and Subprocessor management process for providers that Process Customer Personal Data or materially support the Services. VeloDB requires Subprocessors that Process Customer Personal Data on VeloDB's behalf to be subject to written data protection obligations appropriate to their Processing role.
VeloDB maintains a public Subprocessor List or successor location. Subprocessor applicability may differ by service, deployment model, region, feature, support workflow or customer environment. For changes governed by the Data Processing Addendum, VeloDB provides at least thirty (30) calendar days' advance notice before a new or replacement Subprocessor begins Processing Customer Personal Data, except where shorter notice is reasonably required for security, continuity, emergency, legal or similar reasons. Customer may object within ten (10) calendar days after notice on reasonable grounds relating to data protection, subject to the process in the Data Processing Addendum.
11. Incident Response
VeloDB maintains an incident response process designed to detect, triage, investigate, contain, remediate, document and communicate security incidents affecting the Services.
Security Incident notification obligations for Customer Personal Data are governed by the Data Processing Addendum. VeloDB will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, unless an earlier deadline is required by applicable law. Notice may be provided in phases as information becomes available. Notice of or response to a Security Incident is not an admission of fault or liability.
Unsuccessful attempts, scans, denial-of-service attempts, availability events or operational alerts are not Security Incidents unless they result in a compromise of Customer Personal Data or meet another applicable contractual or legal definition.
12. Business Continuity, Backups and Offboarding
VeloDB maintains business continuity and disaster recovery processes appropriate to VeloDB-controlled components of the Services. Customer remains responsible for Customer-controlled cloud-account resilience, backup configuration, export strategy, key availability, disaster-recovery design and Customer-side cloud cleanup for BYOC Services unless an Order Form or approved exhibit states otherwise.
Upon termination or expiration of applicable Services, VeloDB follows the return, deletion and offboarding obligations in the Data Processing Addendum, Agreement, Order Form, service materials and applicable offboarding guidance. Deletion and return may require time to propagate through applicable systems, backups and Subprocessors. Until Customer Personal Data is deleted or returned, VeloDB continues to protect it and limits further Processing to deletion, return, export, security, backup, audit, compliance or lawful retention purposes.
For BYOC Services, Customer is responsible for exporting required data before deletion, saving required console objects, confirming backup-retention decisions, initiating warehouse deletion, revoking VeloDB access, deleting or retaining Customer-controlled object storage, keys, networking and cloud resources, and preserving Customer-side audit evidence. VeloDB remains responsible for Customer Personal Data in VeloDB or Subprocessor possession or control.
13. Remote Support for BYOC
VeloDB's public Remote Support for BYOC documentation describes a support model in which VeloDB engineers do not have persistent or unrestricted access to Customer's BYOC environment by default. Access requests identify the requesting engineer, target environment, operational purpose and requested duration.
Approved support access uses a temporary encrypted reverse tunnel initiated from inside Customer's BYOC environment through the BYOC Agent. The model does not require inbound public internet ports for that tunnel. Sessions are time-bounded, expire automatically and cannot be silently renewed or reused after closure. Support activity is audited and may include session recording, command logging and tamper-evident retention.
Customer-specific support restrictions, access-location limits, emergency access procedures or evidence-sharing commitments apply only where stated in the applicable Agreement, Order Form, support workflow, approved exhibit or signed written commitment.
14. Customer Assurance and Audits
VeloDB responds to reasonable security and privacy diligence requests in accordance with the Agreement and applicable confidentiality, security and legal requirements. Where current, applicable and approved for customer sharing, VeloDB may use independent reports, certifications, bridge letters, control mappings, questionnaires, penetration-test summaries and security documentation as the primary method of demonstrating relevant controls.
If additional audit rights are required by applicable Data Protection Laws and the available assurance materials are not sufficient for Customer's verification purpose, audit rights are governed by the Data Processing Addendum, Agreement and any applicable Order Form or approved exhibit. Audits must not expose data relating to other customers or compromise VeloDB's security controls.
15. Restricted Data, Regulated Use Cases and AI
Customer is responsible for determining whether the Services are appropriate for Customer's intended Processing, providing legally sufficient instructions, obtaining required notices and consents, and configuring the Services lawfully.
Customer must not submit Restricted Data, including protected health information, payment card data, children's data, biometric data, consumer health data or data subject to specialized legal or contractual regimes, unless VeloDB has approved the relevant Services configuration in writing and the parties have executed any required additional terms. Public statements about VeloDB's compliance program, certifications, Trust Center materials or documentation do not by themselves authorize Restricted Data Processing.
VeloDB does not sell Customer Personal Data or use identifiable Customer Personal Data, customer content, query data or forwarded customer logs to train generalized artificial intelligence models unless the parties expressly agree in writing after confirming applicable legal, security and product requirements. AI-assisted support, engineering, ticket-summary, log-analysis, diagnostic or similar workflows may Process Customer Personal Data only under authorized instructions, approved workflows and applicable vendor-risk, Subprocessor, data-minimization, confidentiality, retention, transfer and access controls.
16. Source Materials
The following VeloDB public materials support the control statements in this Security Addendum: