C/01Compliance & trust

POPIA-aligned by design,
not by promise.

This page is maintained by Veritech to describe the trust posture of VelaCommerce as currently shipped. It is not an independent certification, and specific compliance commitments are agreed per merchant contract.

C/02Platform controls

Data residency

All merchant and end-customer PII is stored on Veritech's South African footprint. Backups remain in-country.

Encryption

TLS in transit; encryption at rest on all tenant databases. Tier 1 contracts receive per-tenant KMS keys.

Perimeter PII controls

A Compliance Interceptor sits at the egress perimeter and intercepts outbound tracking streams introduced by storefront extensions.

Access controls

Role-based access for merchant staff; auditable session and admin action logs accessible to the merchant.

Tenant isolation

RLS, schema-per-tenant, or dedicated database per the contracted tier. Cross-tenant queries are not authorised paths.

Operational practices

Change management, vulnerability monitoring, and incident response handled by the Veritech security organisation under documented procedures.

C/03Shared responsibility

Vela secures the platform. Merchants secure how they use it.

Vela / platform

  • · Hosting, residency, encryption, tenant isolation.
  • · Perimeter controls and outbound PII interception.
  • · Platform-level patching, monitoring, incident response.
  • · Documented audit logs available to the merchant.

Merchant / customer

  • · POPIA registration and lawful processing basis.
  • · Customer-facing privacy notice and consent flows.
  • · Staff access reviews and least-privilege role assignment.
  • · Product, pricing, and contract terms with end-customers.

Note on regulatory wording: Vela does not claim POPIA, ISO, or PCI-DSS certification on this page. Specific certifications and audit reports available to a given merchant are confirmed in writing under contract.

Have a procurement or audit questionnaire?

Send it to our trust team