Security & Trust

The Vero Security Pillar

VeroFin is designed as a privilege-preserving, US-only FinCEN compliance tool. We focus on three pillars: secure infrastructure, controlled AI usage, and a human-in-the-loop workflow that keeps attorneys firmly in charge of filings.

1. Secure, US-Only Infrastructure

VeroFin is built on a modern, US-hosted stack with strong isolation between firms.

  • Database & storage: Supabase (PostgreSQL + Storage) with Row-Level Security (RLS) enforcing strict tenant isolation at the database layer.
  • Hosting: Vercel, with TLS 1.3 for all traffic and encrypted storage for deployment artifacts. The application is operated as a US-only service.
  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Uploaded closing packs live in private, non-public buckets.
  • Data lifecycle: Raw uploaded closing packs are automatically removed from storage 90 days after a filing is completed; structured filing data and XML remain available to your firm subject to your account and legal retention needs.
  • Tenant isolation: Every filing, document, and extracted field is tagged with a tenant ID and protected by RLS so one firm cannot see another firm's data.

2. Controlled AI Usage (No Training on Client Data)

AI is used to draft and validate FinCEN field values, not to build a global model of your clients. All AI calls are made from the server, not from the browser.

  • Server-side only: The browser never calls model providers directly. All prompts and responses flow through VeroFin's backend, where they are authenticated, logged, and scoped to a single tenant.
  • Sub-processors: We use OpenRouter and upstream LLM providers solely to perform extraction and validation for a given filing, via a dedicated key configured with Zero Data Retention (ZDR) and no-training settings. Prompts and outputs are not stored or used to train models.
  • Minimum necessary data: The AI sees the documents needed to extract the 111 FinCEN fields for a specific filing; it does not have cross-tenant access to your database and does not see your billing or authentication data.
  • No auto-filing: VeroFin never submits reports to FinCEN. AI outputs are drafts that your team reviews and uploads through the BSA E-Filing portal.

3. Human-in-the-Loop & Auditability

VeroFin is designed so that attorneys and paralegals remain clearly responsible for every filing.

  • Drafts, not decisions: Dual AI agents extract and cross-check fields, but generated XML is explicitly presented as a draft. You decide what to file and when.
  • Attorney review workflow: The platform is built around review and approval by licensed professionals. All legal determinations remain with your firm, not with the software.
  • Field-level context: Each extracted field includes a confidence score, source page, and source text snippet so your team can quickly verify the AI's work.
  • Audit support: The data model supports detailed logging of extractions, validations, and filings, giving firms an examiner-ready record of how each report was prepared.

For full legal terms and data handling details, please review our Terms of Service, Privacy Policy, and Sub-processors list.