Priced for the 500–5,000 emp mid-market — not Fortune 500 named-account procurement.

The pricing logic

Why tier by employee count

Three things scale with headcount, and every one of them changes the cost of delivering Veladon Fleet: rule count, deployment scope, and compliance burden.

Rule count: a 500-employee fintech operates with a tight product line and a shorter list of client identifiers and codenames to protect. A 4,000-employee healthcare system has 18 product lines, three clinical networks, and hundreds of partner IDs — the ML classifier has to learn and protect a superset of that. More rules, more training data, more tuning.

Deployment scope: deploying across 500 endpoints is a single MDM push. Deploying across 4,000 endpoints is a staged rollout across 3-5 business units, each with its own change-management window, help-desk escalation path, and endpoint-security review. The 4,000-emp deployment consumes 5-8x more of our engineering runway than the 500-emp deployment.

Compliance burden: EU AI Act Article 26 deployer obligations apply to every AI system in use — the more employees, the larger the surface area and the longer the evidence pack. A 4,000-employee deployer files an evidence pack roughly 8x the volume of a 500-employee deployer at the same cadence. The Growth and Scale tiers underwrite that larger compliance surface.

Included in every paid tier · not a policy-pack upcharge

Evidence export — the artifact auditors actually ask for

The Fleet evidence-export wizard produces a JSON archive plus a signed PDF summary, pre-mapped to the framework controls your auditor will request. No services hour is needed to assemble the pack. It is generated on-demand and handed off in the format every Big 4 auditor signs off on.

EU AI Act

Article 26 (deployer obligations)

Usage logs, human oversight records, Article 26(4) GDPR alignment, Article 26(5) affected-person notification.

ISO/IEC 42001:2023

Annex A.6.2.3 (responsible AI use)

Plus A.7 (data), A.9 (use), A.10 (third-party) operational controls.

NIST AI RMF 1.0

MAP-4.1 (TEVV usage monitoring)

Plus GOVERN-1.4, MEASURE-2.7, MANAGE-4.1 sub-category evidence.

SOC 2

CC6.2 (logical access control)

Plus CC7.2 (monitoring) and AICPA 2024 Additional Considerations for AI.

HIPAA Security Rule

§164.312(b) audit controls

With 18 Safe Harbor PHI identifiers redacted in-line before AI egress.

PCI-DSS v4.0

Requirement 10.2 (audit trail)

PAN and cardholder data redacted before any public LLM request.

Pricing questions CISOs ask

Billing, pilot, security review, cancellation

How is billing handled?

All paid Fleet tiers are billed annually, invoiced NET-30 via Stripe or ACH. We do not bill monthly at the paid tier — the annual commitment is what lets us hold the price flat across the year and avoid the 3-9 month procurement cycle that mid-market usually faces. First invoice ships after the pilot close-date, not at contract signing.

Can we run a paid pilot before the annual commitment?

Yes. The standard motion is a 30-day paid pilot ($1,200 for Starter, $2,500 for Growth, $5,000 for Scale — no discount, full-price month-one) that converts to the annual contract if we meet the agreed success criteria. Pilot success criteria are written into the statement of work up-front: typically 3 criteria around redaction rate, false-positive rate, and evidence-pack format acceptance.

What does the security review look like?

We ship a SOC 2 Type II report at contract signing, plus a pre-filled CAIQ, SIG-Lite, and the vendor security questionnaire your GRC team already has on file. Legal review takes 7-14 days in our experience with mid-market InfoSec. For the regulated sub-segment we hold live Q&A with your InfoSec team during the pilot — Seungdo joins those calls personally.

What happens if we cancel?

You can cancel any annual contract at the renewal date with 30 days' written notice. Mid-contract cancellation is allowed with cause (service-level miss >48 hours repeated, or the feature-set published at contract signing is materially reduced). Your evidence pack, audit log, and admin console data exports are retained for 90 days after contract end so you can hand them to your next vendor cleanly.

Why is this priced by employee count instead of user seats?

Because your EU AI Act Article 26 obligations scale with the number of employees potentially using AI — not just the users who opted in. Seat-based pricing creates the exact shadow-AI blind spot Veladon exists to close. Employee-count pricing aligns our incentives with your coverage obligation: we want you to deploy across everyone, not just the security team.

Are custom industry packs available?

Yes, in the Scale tier. Custom packs — for example, defense ITAR export-control terms, healthcare revenue-cycle codes, or financial-services product codenames — are built and validated during the first 30 days of the annual contract. Typical turnaround is 14 calendar days per custom pack.

What does the evidence export actually contain?

A JSON archive of every redaction event (prompt hash, policy hit, framework mapping, timestamp, user hash, endpoint, latency), a signed PDF summary mapped to your specified frameworks, and an exception report for any rule-misses that fell back to alert-only mode. The format is what Big 4 auditors have been signing off on for quarterly PCAOB, NY DFS 500, and ISO 42001 attestations.

What does my discovery call actually cover?

Fifteen minutes with Seungdo, the Veladon founder. Agenda: (1) your specific framework pressure — is it EU AI Act by August 2, 2026, an ISO 42001 cert timeline, a SOC 2 Type II mid-point, or a customer ask? (2) your current coverage gap — what your existing DLP does not catch on the ChatGPT / Claude / Gemini surface. (3) whether Veladon is actually a fit, and if not, which competitor (Harmonic / Prompt Security / Purview AI Hub) is. No pitch deck, no pricing theatre.