Security & trustFiduciary-grade

Trust is the product.

Veto holds the evidence an office relies on to move settlement funds. It is built to be defensible — for your office, your auditor, your carrier, and a court.

Run a live-file control test See the threat model

✓Restricted evidence in Vault ✓Field-level access · logged ✓Separation of duties

VAULTRestricted evidence

Restricted

Destination account

Account ending 1234

Full value retained in Vault · sha256:9f2a…

Access log 3

S. Lin · Manager Viewed 10:14
Restricted reviewer Viewed 10:31
Break-glass Requested · pending

Audit packet

policy v4
source manifest · 7
event log · 38
exceptions · 1

Reconstructable, end to end.

Trust posture

Built so sensitive evidence is protected by default.

VAULT

Restricted evidence

Account numbers, IDs, tax forms, and raw provider responses live in Vault — redacted by default, surfaced only where policy and role permit.

ACCESS LOGS

Every view recorded

Field-level access control with full view and export logs. Break-glass access is explicit, time-bound, and recorded.

ROLES

Separation of duties

Reviewer, approver, and release roles are distinct. The person who prepares a record isn't the one who approves an exception.

RETENTION

Redaction & retention

Sensitive values are hashed and referenced, not echoed onto records. Retention policy is configurable per field.

IDENTITY

SSO · SAML · SCIM

Enterprise SSO, directory-based provisioning, session and device policy, and audit-log export to your SIEM.

AUDIT PACKET

Reconstructable

Policy version, source manifest, event log, exceptions, and record status — exportable for any after-the-fact review.

Threat model

Built to resist AI-era abuse — not just store data.

The core abuse question: can anyone make Veto create, consume, or export release-supporting review when the source, policy, exception, or role state does not support it? These are the abuses we design and test against.

→Policy-engine bypass and stale Review Record reuse
→Release-code replay and source-row tampering
→Source-limitation suppression
→LLM prompt injection through PDFs and emails
→RAG poisoning via malicious document ingestion
→Callback-record forgery and provider-response spoofing
→Cross-file data leakage and object-level authorization
→Separation-of-duties bypass and audit-packet integrity

AI may prefill source rows; officers confirm. Low-confidence inputs never silently prefill a Review Record as current.

Boundary

What Veto protects — and what it never claims.

What Veto protects

▪The integrity of the Review Record and its source rows
▪Restricted evidence, with field-level access and logs
▪The policy state that gates a covered instruction
▪A reconstructable record of who reviewed and approved

What it never claims

▪That a file is “safe” or that fraud is cleared
▪To move money or confirm account control
▪To authenticate payees beyond a source's actual claim
▪To replace your security program or system of record

The office decides and acts under its escrow instructions and policies. Veto records the review.

Compliance

On the path to formal attestation.

We're standing up the controls and evidence behind these certifications. Status shown is current.

SOC 2 Type II

In progress

SSO / SAML

Available

Data residency

Roadmap

Pen test

Scheduled

Compliance badges · update as attestations land

Talk to security

Bring your security questionnaire.

We'll walk your team through the Vault model, access controls, threat model, and audit packet — on a real file.

Prefer to look first? See a sample Review Record.