Product Update — 13 April 2026

Major security hardening pass: rate limiting on every endpoint, account lockout, email verification TTL, tenant isolation fixes, Agency team data separation, admin oversight toggle, AI email editor, 34 system emails rewritten, and a public /security page for transparency.

Security Hardening

• Rate limiting on every endpoint — Authentication, API, billing, enrichment, AI, booking, and all data mutation routes are now rate-limited. Prevents brute force, credit drain, and abuse.
• Account lockout — Accounts are temporarily locked after repeated failed login attempts. Resets automatically on successful login.
• Email verification TTL — Verification tokens now expire after 24 hours. Previously they lived forever.
• Inbox tenant isolation — Email logs and inbound replies are now scoped to your organisation. Every query includes tenant verification.
• API token scoping — Token revoke and delete operations now verify both user and organisation ownership.
• Dialler caller ID validation — Outbound calls validate the from-number belongs to the calling user. Prevents team members impersonating each other’s phone numbers.
• Credit allocation enforcement — Split-evenly mode now computes a fair share when allocations haven’t been set, preventing unlimited spending.
• Public security page — New /security page with full transparency on our security practices. Linked from the landing page nav.

Agency Team Isolation

• Contact isolation enforced — In “Separate” mode, every contact lookup now verifies the record belongs to the requesting team member. Covers all contact operations.
• Call log isolation enforced — All call log operations now respect team data boundaries.
• Admin team view toggle — New sidebar button lets admins switch between “All Team Data” (oversight) and “My Data” (personal view). Session-persisted.
• Per-user settings fully isolated — Email signatures, timezones, send schedules, contact details, and business context no longer fall back to shared team defaults in Separate mode. Each member gets their own values or empty.

AI Email Editor

• Admin email editor — New admin page with preview, test send, and AI-powered rewrite for all 34 system emails.
• 34 system emails rewritten — Professional tone with strategic subject lines. 3 new lifecycle emails: Discover Calendar (Day 5), Discover Integrations (Day 12), Discover Booking Links (Day 24).
• Anti-spam compliance — Logo header, unsubscribe footer, and List-Unsubscribe headers on every system email.

Email Enrichment

• Email pattern detection — When enriching contacts, Kolvera now detects email naming conventions from existing verified emails at the same company. Tries the detected pattern first for higher accuracy.

Onboarding & UX

• 6-step onboarding — Restructured from 4 steps: Market, Playbook, Contact Details, Email Timezone + Work Hours, Global Timezone, Business Context.
• Setup checklist improvements — Two-timezone split (app + email sending), pre-fills from onboarding data, Business Context step with AI generation.
• Changelog page public — Visitors can now view product updates without signing in.
• Full app audit — Comprehensive application audit resolved multiple security and quality issues across the entire platform.