Valora

Security

Valora handles confidential commercial real estate data. Security is part of how the product is built — not a feature bolted on. Below is how customer data is protected and what you can expect from us as a vendor.

Data encryption

All traffic to and from Valora is encrypted in transit with TLS 1.2 or newer. Customer data — including documents, valuations, and AI conversations — is encrypted at rest in our managed Postgres database and object storage.

Multi-tenant isolation

Valora is multi-tenant. Every record is scoped to an organization and enforced at the database layer using row-level security (RLS) policies. A user can only read and write data that belongs to an organization they are a member of, regardless of how the request is made.

Authentication and access control

Authentication is handled through Supabase Auth using email magic-link sign-in. Inside an organization, members have one of two roles — admin or analyst — and platform-level administration is a separate flag. Service-role credentials that bypass RLS are only used in trusted server-side code where the organization context is verified explicitly.

AI processing

AI features are powered by Anthropic's Claude models, accessed through the Vercel AI Gateway. Anthropic does not retain customer inputs or outputs for model training. Prompts include only the project and organization context that the requesting user already has access to.

Subprocessors

  • Supabase — Postgres database, authentication, and file storage (EU/US regions).
  • Vercel — application hosting and AI gateway.
  • Anthropic — Claude language model for valuation analysis and report generation.
  • Resend — transactional email delivery.

International transfers rely on EU-approved mechanisms, including Standard Contractual Clauses (SCCs).

Operational practices

  • Code changes go through pull-request review before being deployed to production.
  • Database migrations are versioned, append-only, and reviewed alongside the code change that depends on them.
  • Production secrets are managed in our hosting platform's environment store and are not committed to source control.
  • Logs and metrics are retained only as long as needed to operate and debug the service.

Reporting a vulnerability

If you believe you have found a security vulnerability in Valora, please email jbs@veridian.no. We appreciate disclosure that gives us a reasonable window to investigate and resolve the issue before it is shared publicly.