vericveric
Sign inGet started

Security & trust

Veric is built as a static analyzer from the ground up. That constraint — no runtime agents, no warehouse row access — gives our customers a materially smaller exposure surface than traditional DSPM tools.

Architecture

The CLI runs in your CI runner or developer machine. It reads your dbt project and warehouse `information_schema`, then transmits findings — never rows — to the Veric control plane over HTTPS.

Veric high-level architectureThe veric CLI runs in CI. It reads dbt manifests and warehouse information_schema metadata, and emits findings to the Veric control plane. Warehouse row data never leaves the customer's environment.Your CI / developer machineveric CLIAG-backed static analyzerdbt project (manifest.json)information_schema(metadata only)Veric control planefindings + analyticsfindings (SARIF/JSON)over HTTPS

Data handling

  • Code and metadata only. Veric reads dbt manifests, SQL source, and warehouse metadata (column names, types, tags). Rows never transit our systems.
  • Findings, not samples. Findings contain the SQL expression and the lineage path that triggered a rule. We do not include sample values.
  • At rest in Azure. All stored data is encrypted with Azure platform-managed keys. Customer-managed keys are available on Business plans.
  • Audit log. Every admin action in your workspace emits an immutable event.

Trust pillars

We never read your data

Veric analyzes code and schema metadata only. Your warehouse rows stay in your warehouse.

GDPR-compatible

Standard Contractual Clauses, EU data residency on request, subject-access requests within 30 days.

SOC 2 Type II in progress

Type I audit scheduled Q3 2026; Type II window opens immediately after. Security whitepaper on request.

Audit log for every action

Every admin and API-key action in your workspace emits an immutable event you can export.

Compliance & legal

  • GDPR & UK-GDPR: we support Standard Contractual Clauses via our Data Processing Addendum.
  • Subprocessors: current list.
  • SOC 2 Type I audit scheduled Q3 2026; Type II observation window begins immediately after.
  • Security whitepaper available on request — email security@veric.dev.

Responsible disclosure

Report security issues to security@veric.dev. We acknowledge within one business day and aim to remediate critical issues within 30 days.