Reliability & data handling
A credential broker has to be dependable as well as secret. This page covers how Veil Keys is operated, how your data is stored and protected at the platform level, and what happens when you delete something. It describes the model and the guarantees — not infrastructure specifics.
Where your data lives
Veil Keys runs on managed, backed-up PostgreSQL hosted in the EU, chosen for low latency and encrypted storage. “Managed” means the database has operational backups; “EU” means your data resides in the European Union. Everything sensitive in that database is already ciphertext under the envelope-encryption scheme, so the storage layer never holds a plaintext secret.
Transport and platform hardening
| Control | What it does |
|---|---|
| TLS 1.3 | Modern, forward-secret transport for every connection |
| Rate limiting on auth and reveals | Blunts brute-force login attempts and bulk plaintext extraction |
| Content-Security-Policy (CSP) | Constrains what the app is allowed to load and execute |
| HSTS | Forces HTTPS, preventing downgrade to plaintext HTTP |
X-Content-Type-Options: nosniff | Stops MIME-type confusion attacks |
| Anti-framing | Blocks clickjacking by refusing to be embedded in hostile frames |
These are the standard, named web-security headers, applied so the hosted surface isn’t the weak link.
SSH keys are sign-only
SSH private keys are a special case: there is no path, through any API, that returns an SSH private key. The key is used to sign challenges on the server side and nothing more. An agent or CI job asks Veil to sign; it receives a signature, never the key.
Deletion and the 30-day grace period
Deletion is soft with a recovery window, so an accidental or malicious deletion isn’t instantly catastrophic:
- Deleting an account or organization marks it deleted but retains it for a 30-day grace period.
- During that window the data can be restored on next login — you log back in and it’s there.
- After the grace period, a purge job hard-deletes the data permanently.
Reliability posture, stated honestly
- You are trusting a hosted service. Availability depends on Veil’s infrastructure being up. The managed database and backups exist to make that dependable, but a hosted broker is, by definition, a dependency. For teams that can’t accept that, a fully local mode is on the roadmap — see the limits in How it stays secret.
- Backups are for durability, not a second copy of plaintext. They protect against data loss; they do not create a new place where secrets sit readable, because there is no readable copy to begin with.
- Deletion is final after the window. The 30-day grace is generous, but once the purge runs the data cannot be recovered. Plan restores within the window.
Related
- Encryption at rest & in transit — the cipher suite and key hierarchy behind the storage guarantees.
- The audit trail — the durable record of what happened.
- Database proxy — read-only, PII-masked database access for agents.