Velohost Velohost

Platform security

Security Policy

Velohost is designed to operate securely by default. This policy explains how infrastructure, services, and data are protected against unauthorised access, abuse, and disruption.

Effective date: 01 January 2026

1. Security philosophy

Velohost follows a defence-in-depth approach to security, combining infrastructure controls, provider safeguards, and minimal data handling.

Security decisions prioritise:

  • Minimising data exposure
  • Reducing attack surface
  • Maintaining platform availability
  • Transparency without oversharing

2. Infrastructure and hosting

Velohost operates on reputable, industry-standard infrastructure providers, including:

  • Cloudflare (network security, DDoS protection, TLS)
  • IONOS (hosting and compute infrastructure)
  • Fasthosts (supporting infrastructure services)
  • Plesk (server and service management)

These providers maintain their own security certifications, controls, and compliance programmes.

3. Network and transport security

All Velohost services are delivered over encrypted connections using modern TLS configurations.

Network-level protections include:

  • DDoS mitigation and traffic filtering
  • Web application firewall protections
  • Rate limiting and abuse detection

4. Application security

Velohost tools are designed to process input safely and avoid persistent storage wherever possible.

Security measures include:

  • Strict input validation
  • Separation of concerns between services
  • Minimal dependency exposure
  • Controlled execution paths

5. Data minimisation

Velohost intentionally limits the collection and retention of data as a security control.

Most tools operate without storing:

  • User identifiers
  • Query histories
  • Persistent analysis results

Where data must be processed, it is handled transiently and discarded immediately after use unless explicitly stated.

6. Access control

Administrative access to systems is strictly limited and protected using strong authentication practices.

Access is granted only where operationally required and reviewed periodically.

7. Third-party services

Velohost relies on trusted third-party services for specific platform functions, including:

  • GitHub (source control and CI)
  • Expo (mobile tooling and distribution)

These providers maintain independent security and compliance programmes.

8. Monitoring and logging

Limited operational logging is used to ensure platform stability, detect abuse, and investigate incidents.

Logs are not used for behavioural profiling or advertising and are retained only as long as operationally necessary.

9. Vulnerability reporting

Velohost welcomes responsible disclosure of security issues.

If you believe you have identified a vulnerability, contact:

[email protected]

Please do not publicly disclose vulnerabilities without allowing reasonable time for investigation and remediation.

10. Incident response

In the event of a security incident, Velohost will take appropriate steps to contain, investigate, and remediate the issue.

Where required by law, affected parties will be notified in accordance with applicable regulations.

11. Policy updates

This Security Policy may be updated to reflect changes in technology, threat landscape, or legal requirements.

Continued use of Velohost services constitutes acceptance of the current version.