Skip to content

Privacy Policy (Draft)

Last updated: 2026-02-17

Warning

This document is a draft placeholder for counsel review and is not legal advice. Do not rely on it as final policy text.

1. Scope

This Privacy Policy describes how VeliKey, Inc. ("VeliKey", "we", "us") processes information in connection with the VeliKey Aegis platform, including Axis and Aegis Agents (the "Service").

TODO(counsel): confirm the contracting entity, address, and required regional disclosures.

2. Information We Collect

Depending on deployment, we may process:

  • Account and organization information (name, email, organization membership, role)
  • Authentication and security events (sign-in timestamps, MFA/SSO configuration events)
  • Billing and subscription metadata (plan, invoices, payment status)
  • Service telemetry and diagnostics (agent status/health, aggregated metrics, error logs)
  • Support information (tickets and messages you send to us)

3. Information We Do Not Intend to Collect

The Service is designed to avoid collecting application plaintext and secret keys. In typical deployments:

  • Aegis enforces TLS policy in Customer infrastructure.
  • Axis receives configuration and aggregated telemetry, not application payloads.

TODO(counsel): verify claims for each deployment model and define exceptions (for example, explicit debug modes).

4. How We Use Information

We use information to:

  • provide and operate the Service
  • secure the Service and enforce tenant isolation
  • support customers (including troubleshooting)
  • bill and administer subscriptions
  • comply with legal obligations

5. How We Share Information

We may share information with:

  • subprocessors who provide infrastructure and operational services
  • service providers acting on our instructions
  • law enforcement or regulators when required by law

We do not sell personal information.

TODO(counsel): add subprocessor list and required contractual statements.

6. Data Retention

Retention depends on data type and configuration:

  • account records: retained while the account is active and as required for legal/compliance
  • operational telemetry: retained for limited periods to provide the Service and support troubleshooting

TODO(counsel): define retention periods by category and add deletion policy details.

7. Security

We apply administrative, technical, and physical safeguards designed to protect information we process.

Customer responsibilities include:

  • protecting API keys, bootstrap tokens, and other credentials
  • limiting access to authorized administrators
  • rotating credentials on suspected compromise

8. Your Choices and Rights

Depending on your location, you may have rights to access, correct, or delete personal information.

TODO(counsel): add GDPR/UK GDPR, CCPA/CPRA, and other jurisdiction-specific rights and request workflows.

9. International Transfers

If we process information outside your country, we implement appropriate safeguards as required by law.

TODO(counsel): add transfer mechanism language (SCCs, etc.) if applicable.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated through the Service or by other reasonable means.

11. Contact

  • Privacy: privacy@velikey.com
  • Security: security@velikey.com
  • Support: support@velikey.com