vetra
send a vet

legal

security

last updated: april 25, 2026

we take security seriously because verification is meaningless if the record can't be trusted. here's how vetra is built today.

infrastructure

  • hosted on google cloud platform via firebase (firestore, cloud storage, cloud functions) and on vercel for the web tier.
  • tls 1.2+ on every public surface. http is permanently redirected to https.
  • encryption at rest for all firestore documents and cloud storage objects (google-managed keys).
  • least-privilege service accounts. the firebase admin sdk runs only in server-side api routes; client code uses the firebase client sdk with security-rule enforcement.

authentication

  • passwordless magic-link auth via firebase authentication. no passwords stored, no password reset attack surface.
  • recipient-response links are 24-character url-safe random tokens (~143 bits of entropy). single-use, time-limited (default 14 days), rate-limited per email.
  • api routes that take privileged actions verify firebase id tokens server-side via the admin sdk before doing anything.

data integrity

  • verified artifacts are immutable. once a coach signs off, the artifact is frozen — evidence files copied into a snapshot path that survives deletion of the original response.
  • each artifact carries a sha-256 sender signature over (sender_uid, verified_at_ms, slug). v2 will upgrade to real cryptographic signed attestations.
  • firestore security rules enforce ownership at every read/write — coaches can only read vets they sent or received; verified artifacts can only be written server-side via the verification flow.

file uploads

  • recipients upload evidence directly to firebase storage via v4 signed put urls minted server-side. each url is bound to a specific path + content-type and expires in 30 minutes. our serverless functions never see the file bytes.
  • per-file size cap of 50 mb. cors is configured to allow uploads only from sendavet.to and our preview domains.

vulnerability reporting

if you discover a security issue, please report it to security@sendavet.to. we'll acknowledge within two business days. we don't have a paid bug bounty yet, but we'll credit you publicly (with your permission) for responsibly disclosed issues.

compliance roadmap

soc 2, hipaa baa, and gdpr-aligned data-processing agreements are on the enterprise roadmap. for current enterprise needs, email security@sendavet.to — we'll handle the request directly.

questions? email legal@sendavet.to or read the manifesto for the spirit-of-the-thing version.