Security overview
A plain account of how NeoKivo protects your data: authentication, encryption, access control, and how we handle disclosures.
Updated 2026-07-06
This is a practical overview, not a compliance checklist. NeoKivo holds no formal data-protection certification and no third-party audit seal. Rather than point at a badge, here is what we actually do.
Accounts and sessions
- Passwords are never stored in plain text. They are hashed by our authentication layer, better-auth, before storage.
- Signing in starts a session backed by a secure cookie, valid for 30 days.
- All traffic to the app and API runs over HTTPS, with HSTS enabled so browsers keep enforcing it.
Documents
Uploaded documents are encrypted at rest with envelope encryption: each file is encrypted with its own data key, and that key is itself encrypted with a key derived specifically for your workspace. A breach of one workspace’s stored keys does not expose another’s.
API keys and webhooks
- API keys are shown to you once, at creation, and never again. Only a SHA-256 hash of the key is stored — we cannot recover a lost key, only reissue one.
- Webhooks you configure are signed with a per-workspace secret, so your endpoint can verify a payload really came from NeoKivo.
- Incoming webhooks we rely on, such as Stripe’s, are signature-verified before we act on them.
Access control and audit
Access to workspace data is governed by roles and permissions, plus per-deal visibility rules on top of them, so a role grant does not automatically mean every deal is visible. Security-relevant actions — role changes, permission changes, exports, deletions and restores — are written to an audit log.
Reporting a problem
If you find a security issue, email hello@neokivo.com with what you found and how to reproduce it. We read every report and will follow up directly.
Spotted something out of date? Email hello@neokivo.com.