Browse documentation

Security overview

A plain account of how NeoKivo protects your data: authentication, encryption, access control, and how we handle disclosures.

Updated 2026-07-06

This is a practical overview, not a compliance checklist. NeoKivo holds no formal data-protection certification and no third-party audit seal. Rather than point at a badge, here is what we actually do.

Accounts and sessions

  • Passwords are never stored in plain text. They are hashed by our authentication layer, better-auth, before storage.
  • Signing in starts a session backed by a secure cookie, valid for 30 days.
  • All traffic to the app and API runs over HTTPS, with HSTS enabled so browsers keep enforcing it.

Documents

Uploaded documents are encrypted at rest with envelope encryption: each file is encrypted with its own data key, and that key is itself encrypted with a key derived specifically for your workspace. A breach of one workspace’s stored keys does not expose another’s.

API keys and webhooks

  • API keys are shown to you once, at creation, and never again. Only a SHA-256 hash of the key is stored — we cannot recover a lost key, only reissue one.
  • Webhooks you configure are signed with a per-workspace secret, so your endpoint can verify a payload really came from NeoKivo.
  • Incoming webhooks we rely on, such as Stripe’s, are signature-verified before we act on them.

Access control and audit

Access to workspace data is governed by roles and permissions, plus per-deal visibility rules on top of them, so a role grant does not automatically mean every deal is visible. Security-relevant actions — role changes, permission changes, exports, deletions and restores — are written to an audit log.

Reporting a problem

If you find a security issue, email hello@neokivo.com with what you found and how to reproduce it. We read every report and will follow up directly.

Spotted something out of date? Email hello@neokivo.com.