Skip to main content
VeloraConsulting

Last updated: 18 June 2026

Trust Centre

This page is maintained by Velora Consulting to answer common security and privacy questions about how we work. It covers our current practices, controls and commitments — not independent certification.

ICO registered

Registration number ZC165315.

Encryption in transit

All traffic to this site is served over HTTPS (TLS 1.2+).

Cookie consent

We ask for consent before loading non-essential analytics cookies.

UK-based company

Registered in England & Wales (No. 17260165).

Framework-aligned

We align to ISO/IEC 42001, NIST AI RMF, EU AI Act, ICO and NCSC guidance.

Contact

hello@veloraconsulting.co.uk

What this page covers

This page explains how Velora Consulting handles security, privacy and compliance. It is intended for procurement teams, data protection officers and clients who need to understand our risk posture and controls. It is not a certification or an independent audit report.

Access and authentication

  • Client portal pages (account, resources and admin tools) require authentication. We use email-based authentication with secure session management.
  • Admin functions are restricted to authorised Velora staff. We do not rely on client-side role claims alone; access checks are enforced server-side.
  • User roles are stored in a dedicated user_roles table — never on the user profile — to prevent privilege-escalation paths via profile updates.
  • Password reset flows use time-limited, single-use tokens delivered to the registered email address.
  • Sessions use httpOnly cookies handled by the auth provider; tokens are rotated on refresh and revoked on sign-out.

Database function access audit

We periodically audit every SECURITY DEFINER database function and restrict execution to the minimum role required. Current posture:

FunctionPurposeCallable by
has_roleRead-only role check used inside RLS policies.Authenticated (required for RLS)
get_public_site_settingsReturns a whitelist of public site settings only.Public / anon
enqueue_email, read_email_batch, delete_email, move_to_dlqInternal email-queue plumbing used by edge functions.Service role only
cleanup_old_audit_dataScheduled retention cleanup of audit reports and Lighthouse runs.Service role only
handle_new_userTrigger that provisions a profile and default role on sign-up.Service role only (auth trigger)

All functions pin search_path to public to prevent schema-resolution attacks, and Row-Level Security is enabled on every public table.

Platform and hosting context

This website is built and hosted on the Lovable platform. Lovable provides the underlying infrastructure, edge network, database and build pipeline. Velora Consulting owns the application code, content and data model. Both parties share responsibility for security:

  • Lovable platform: infrastructure patching, TLS termination, DDoS protection, and edge-network availability.
  • Velora Consulting: application logic, access controls, data handling, third-party integrations, and content accuracy.

Data collection and use

We collect only the data we need to respond to enquiries, deliver services and meet legal obligations. For full details, see our Privacy Policy.

In short: we collect contact details when you fill in a form, book a call or request a resource. We do not sell personal data. We process data in the UK or under UK-approved transfer safeguards.

Subprocessors and integrations

We use a small set of trusted service providers to operate the business and this website:

  • Stripe — payment processing. Card details are handled entirely by Stripe; we do not store them.
  • Calendly — consultation booking and scheduling.
  • Mailchimp — email marketing and resource-request form handling.
  • Google Workspace — email and document storage for client engagements (EU/UK regions where available).
  • Lovable Cloud / Supabase — database, authentication and edge functions for this application.

Cookies and analytics

We use essential cookies for site functionality and, with your consent, analytics cookies to understand how the site is used. You can manage your preferences at any time. See our Cookies Policy for details.

Retention and deletion

We keep personal data only as long as necessary. Enquiry data is retained for up to 24 months from last contact. Marketing data is kept until you unsubscribe or request deletion. Client and accounting records are retained for the period required by UK law (typically six years). See the Privacy Policy for full retention schedules.

Privacy requests

You have the right to access, correct, delete or restrict processing of your personal data. To make a request, email privacy@veloraconsulting.co.uk. We will respond within one month.

Incident and security contact

If you discover a security issue or have a concern about how we handle data, please email hello@veloraconsulting.co.uk. We aim to acknowledge reports within 48 hours and will coordinate remediation as appropriate.

Vulnerability reporting

We welcome responsible disclosure of security vulnerabilities. Please send details to hello@veloraconsulting.co.uk with enough information for us to reproduce and assess the issue. We will not take legal action against researchers who act in good faith.

Compliance and certifications

Velora Consulting is not currently certified to ISO 27001, SOC 2 or equivalent standards. Our services are consultative in nature and do not constitute legal, regulatory or financial advice. We align our work to recognised frameworks (ISO/IEC 42001, NIST AI RMF, EU AI Act, ICO guidance, NCSC AI principles) as a matter of practice, not certification.

If you require specific compliance evidence for a procurement process, contact us and we will share what we can within the bounds of client confidentiality.

Changes to this page

We update this page as our practices evolve. The latest version will always be published here.

We use cookies to improve your experience. Analytics cookies help us understand how visitors use the site and are only set with your consent. Read our cookie policy.