How we handle your data and credentials.
Velora connects to AFIP, MercadoPago, and logistics on your behalf. Below is exactly where sensitive material lives, how it's protected, and what isolation we do and do not yet claim. Only statements that are true today.
Your fiscal certificate and passphrase
- Your AFIP client certificate (.p12) is stored in Google Cloud Storage (bucket velora-arca-certs), scoped by IAM. Google Cloud Storage encrypts all objects at rest (AES-256, Google-managed keys).
- The certificate passphrase is stored in Google Secret Manager — never in our application database. The database holds only references (the storage path and the secret name), never the secret material itself.
- The certificate and passphrase are never written to logs. Wrong-passphrase errors are deliberately opaque so no cipher detail leaks.
- Before anything is stored, the certificate is validated against AFIP (a live WSAA check). If the certificate or passphrase is invalid, nothing is persisted.
- A 90-day rotation policy is set on every stored credential.
Tenant isolation
- Each business's data is isolated at the application layer: every database query is scoped to that business's identifier, enforced consistently through a single data-access layer.
- Sensitive credentials (tax certificates, payment tokens) are kept out of the application database entirely — certificates in IAM-scoped Google Cloud Storage, passphrases in Google Secret Manager.
- Row-security policies exist at the database level but are not active yet: the current database connection role bypasses them, so the application layer is the only tenant isolation in effect today. Activating database-level enforcement (a dedicated non-bypassing role) is a planned hardening step — we don't claim it as protection until it is.
Infrastructure and transport
- Velora runs on Google Cloud (Cloud Run, Secret Manager, Cloud Storage) in the southamerica-east1 region.
- All connections are encrypted in transit (TLS required), including every connection to the database.
- Application, webhook, and agent secrets are sourced from Google Secret Manager — not committed to source control and not stored in the database.
Connecting without uploading a certificate
The trust-preferred way to enable AFIP invoicing is delegation, not a raw certificate upload. From your own AFIP “Administrador de Relaciones” (Clave Fiscal), you authorize Velora's CUIT as a representative for the WSFE web service. You never hand us a .p12 file, and you can revoke the authorization unilaterally from your own AFIP panel at any time.
This is AFIP's own documented mechanism. We are currently provisioning Velora's provider certificate to make delegation the default onboarding path; until then the certificate-upload path (described above) applies.
https://www.afip.gob.ar/ws/wsaa/adminrel.delegarws.pdf
Sub-processors
Velora relies on these providers to operate. Each receives only the data required for its function.
- Google — hosting (Cloud Run), storage (Cloud Storage), secrets (Secret Manager), sign-in (OAuth), and AI models (Gemini).
- Supabase — managed PostgreSQL database for business data.
- MercadoPago — payment processing. Card data is entered only on MercadoPago; Velora never receives or stores card numbers.
- AFIP / ARCA — electronic invoicing web services.
- Meta (WhatsApp) — customer messaging, receipts, and notifications via the WhatsApp Business API.
- Andreani — logistics — shipping quotes and dispatch data when you use shipping tools.