Last updated April 2026

Security at Kolvera

Protecting your data is foundational to how we build Kolvera. This page outlines the security measures we have in place across authentication, encryption, infrastructure, and application design.

TL;DR

Bcrypt password hashing. AES-128-CBC encryption at rest with HMAC-SHA256 integrity. Rate limiting on every endpoint. CSRF protection on all forms. Tenant-isolated multi-tenancy. Stripe handles all payments. All connections over HTTPS with HSTS.

Authentication & Access Control

  • Password security — All passwords are hashed using bcrypt with industry-standard work factors. We never store plaintext passwords.
  • Account lockout — Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks.
  • Email verification — All accounts require email verification with time-limited tokens that expire after 24 hours.
  • Multi-provider sign-in — Google, Microsoft, and GitHub OAuth with full state parameter validation to prevent cross-site request forgery during sign-in.
  • Session security — Sessions are protected with HttpOnly, Secure, and SameSite cookie flags. Session tokens are regenerated on login to prevent session fixation.
  • Role-based access — Team members are assigned Admin or Member roles with enforced permission boundaries.

Data Isolation

  • Multi-tenant architecture — Every database query is scoped to the authenticated organisation. Users can never access another organisation’s data.
  • Team data isolation — Agency and Enterprise plans support configurable isolation modes. In “Separate” mode, team members only see their own contacts, campaigns, calls, and pipeline — with admin oversight via a toggle.
  • Per-user settings — Email signatures, timezones, contact details, and business context are stored per-user. Team members’ personal settings are never shared or leaked to other members.

Encryption

  • Data at rest — All sensitive credentials (OAuth tokens, SMTP passwords, CRM API keys) are encrypted using AES-128-CBC symmetric encryption with HMAC-SHA256 integrity verification.
  • Key derivation — Encryption keys are derived using PBKDF2 with 100,000 iterations, following NIST recommendations.
  • Data in transit — All connections use HTTPS with HTTP Strict Transport Security (HSTS) enforced.
  • API tokens — API tokens are hashed using SHA-256 before storage. The plaintext token is shown once at creation and never stored.

API & Rate Limiting

  • Rate limiting — Every endpoint in the application is rate-limited to prevent abuse, with stricter limits on authentication, billing, and enrichment endpoints.
  • CORS restrictions — API access is restricted to authorised origins only. No wildcard origins are permitted.
  • CSRF protection — All state-changing requests require CSRF tokens. API endpoints use token-based authentication instead.

Payment Security

  • Stripe integration — All payment processing is handled by Stripe. Kolvera never stores credit card numbers or payment details.
  • Webhook verification — All payment webhook events are verified using cryptographic signatures before processing.
  • Atomic transactions — Credit deductions use database-level row locking to prevent race conditions or double-spending.

Application Security

  • XSS prevention — All user-generated content is automatically escaped. HTML email content is sanitised using a strict tag and attribute allowlist.
  • SQL injection prevention — All database queries use parameterised statements. No raw SQL is used anywhere in the application.
  • Security headers — Content Security Policy, X-Frame-Options (DENY), Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers on every response.

Email Security

  • Header injection prevention — All email headers are sanitised to prevent injection attacks.
  • Spam Act compliance — Every outbound email includes a one-click unsubscribe link and business address footer, compliant with the Australian Spam Act 2003.
  • Cryptographic unsubscribe — Unsubscribe tokens are signed using HMAC-SHA256 to prevent tampering.

Infrastructure

  • Cloud hosting — Kolvera is hosted on enterprise-grade cloud infrastructure with automatic deployments from a protected main branch.
  • CI/CD pipeline — Every code change passes automated unit, security, and integration tests before deployment.
  • Secret management — All API keys, database credentials, and encryption keys are stored as environment variables. No secrets are hardcoded in source code.
  • Error handling — Application errors are logged internally. Users never see stack traces, database details, or internal system information.

Third-Party Integrations

  • Webhook security — All inbound webhooks from third-party providers are verified using provider-specific cryptographic signatures before processing.
  • OAuth security — All OAuth flows use state parameters validated with cryptographically random tokens.
  • Credential storage — Third-party API keys and OAuth tokens are encrypted at rest and never logged.

Responsible Disclosure

If you discover a security vulnerability, please contact us at security@kolvera.io. We take all reports seriously and will respond within 48 hours.

Kolvera is built and maintained in Australia. We are committed to protecting your data and continuously improving our security posture.