LEGAL
Security at Elevence AI
The technical and operational controls we use to keep your data safe across the web app and the iOS / Android apps.
Last updated 2 May 2026
Applies to web, iOS and Android
1. Authentication
•
Sign in with Google (OAuth 2.0), Apple (Sign in with Apple, iOS), or email OTP — passwords are never stored.
•
Access tokens are short-lived JWTs with refresh-token rotation.
•
API keys are bcrypt-hashed before storage; only the prefix is shown after creation.
•
Mobile clients store tokens in iOS Keychain / Android Keystore via Expo SecureStore. Web stores them in `localStorage`.
2. Encryption
•
TLS 1.2+ for all client-server traffic.
•
Encryption at rest for PostgreSQL (Neon), MongoDB Atlas, and Cloudflare R2 object storage.
•
Backups are encrypted with separate keys, retained for 90 days.
3. Isolation
•
Per-organisation data scoping at the API layer; queries are filtered by org ID before they hit the database.
•
Per-org rate limits and credit balances prevent one tenant from affecting another.
•
Web sandbox uses CSP, X-Frame-Options DENY, and Strict-Transport-Security.
4. Operational controls
•
Least-privilege IAM for staff access; production access logged and reviewed quarterly.
•
All deploys go through CI with required code review and lint / type / test gates.
•
Secrets are rotated quarterly and stored in Google Secret Manager.
•
Dependencies are scanned for known vulnerabilities on every build (npm audit + Dependabot).
5. Incident response
On-call engineers are paged within 5 minutes of a critical alert. Customers affected by a security incident are notified by email to the primary account contact and within the timelines required by applicable law (typically 72 hours for personal-data breaches under GDPR / DPDP).
6. Compliance roadmap
We are working towards SOC 2 Type II in 2026 and ISO 27001 in 2027. The platform is designed against those control frameworks today.
7. Responsible disclosure
If you believe you have found a security vulnerability, email security@elevence.ai with steps to reproduce. We will acknowledge within 48 hours and aim to remediate critical issues within 7 days. Please do not publicly disclose until we have shipped a fix.
We do not currently run a paid bounty programme, but we credit researchers who responsibly disclose qualifying issues on this page.
8. Contact
Security: security@elevence.ai
Privacy: privacy@elevence.ai