Last updated · May 30, 2026

Security at Contexion

How we protect your account, your card data, and the relationships you build on Contexion.ai.

Our commitment

Contexion stores the contact details, lead records, and relationship signals that drive your pipeline. Protecting that data is foundational to the trust you place in us. This page describes the controls we operate to keep your information secure, available, and private.

Infrastructure

Contexion runs on enterprise cloud infrastructure (AWS) in geographically distributed regions. Production servers run in private subnets behind tightly scoped security groups; no production database is reachable from the public internet. We use Cloudflare as our edge network and DDoS protection layer.

Production, staging, and development environments are fully isolated — no shared credentials, no shared databases, no shared accounts.

Encryption

  • In transit: all connections use TLS 1.2 or higher with modern cipher suites. HSTS is enabled on all customer-facing domains.
  • At rest: production databases, object storage, and backups are encrypted with AES-256.
  • Secrets: API keys, OAuth tokens, and integration credentials are encrypted with envelope encryption keys rotated regularly.
  • Passwords: never stored in plaintext. We use argon2id hashing with per-user salts.

Access controls

Internal access to production systems is granted on a least-privilege basis. Every employee request to production data requires:

  • Mandatory hardware-key multi-factor authentication.
  • Single sign-on through our identity provider.
  • Approval through our access review workflow, audited quarterly.
  • Full audit logging of every privileged action.

Access is automatically revoked when an employee's role changes or they leave the company.

Authentication for your account

  • Email + password with argon2id hashing.
  • Social sign-in via Google, Microsoft, and Apple.
  • Optional two-factor authentication (TOTP and WebAuthn) for all plans.
  • SAML SSO and SCIM provisioning available as an add-on for Team plans and included in Enterprise.
  • Session tokens are bound to device fingerprints and rotated regularly.
  • Suspicious login attempts trigger account-level alerts and automatic challenge.

Development practices

  • All code changes go through peer review before merging to main.
  • Continuous integration runs automated unit, integration, and security tests on every commit.
  • Static analysis and dependency scanning (CVE checks) on every build.
  • Secrets are never committed to source control; we enforce this with pre-commit hooks and CI scans.
  • We follow OWASP guidelines for web application security.

Monitoring and incident response

Production systems are monitored 24/7 with automated alerting on anomalous traffic, error rates, latency, and authentication failures. We have a documented incident response playbook with severity classifications and notification timelines.

If a security incident affects your account or data, we will notify you without undue delay — and in any case within 72 hours where required by law.

Backups and disaster recovery

Production databases are backed up continuously with point-in-time recovery up to 30 days. Backups are encrypted, stored in a separate region from primary infrastructure, and tested for restorability on a quarterly cadence. Our recovery time objective (RTO) for a regional outage is 4 hours; the recovery point objective (RPO) is 15 minutes.

Compliance

  • SOC 2 Type II — audit in progress. Report available under NDA when complete.
  • GDPR — we operate as a data processor for our customers' lead data and as a data controller for our own customer accounts. Data Processing Agreements available on request.
  • CCPA / CPRA — we honor consumer rights requests and do not sell personal information.
  • ISO 27001 — alignment in progress; certification planned.

Data privacy

For details on what we collect, how we use it, and who we share it with, see our Privacy Policy. For cookies specifically, see our Cookies Policy.

Reporting a vulnerability

If you believe you have found a security vulnerability in Contexion, please report it confidentially to contact@veloxs.ai. Include reproduction steps and any proof-of-concept code. We commit to:

  • Acknowledging your report within 2 business days.
  • Investigating and responding with our remediation plan within 10 business days.
  • Working with you in good faith on responsible disclosure.
  • Recognizing your contribution publicly (with your permission) once the issue is resolved.

We do not currently operate a formal bug bounty program but treat responsible reports seriously and may offer rewards on a discretionary basis.

Contact