Security
Security Overview
How Kavanah protects your workspace data — architecture, encryption, access control, tenant isolation, monitoring, and our operational security program.
Last updated: July 1, 2026
Kavanah is a project-management platform used by teams that handle sensitive client data and work inside regulated procurement processes. This document describes the technical and organizational controls that protect that data. It is written to answer the questions a security reviewer asks first; deeper artifacts (SOC 2 report, penetration-test summary, completed SIG/CAIQ questionnaires) are available under NDA from the Trust & Compliance page.
Hosting & infrastructure
Kavanah runs as a serverless application on Vercel, backed by a managed Neon Postgres database. Both providers operate SOC 2-audited data centers with physical security, redundant power, and encryption at rest enforced at the infrastructure layer. We do not operate our own physical servers.
Compute runs on isolated, per-request function instances; there is no long-lived shared application host that could retain one customer's data in memory across another customer's request. A full inventory of the vendors that process customer data is published on our Sub-processors page.
Encryption
| Layer | Protection |
|---|---|
| Data in transit | TLS 1.2+ for all client and API traffic. HSTS enforced on the production domain. |
| Data at rest | AES-256 encryption at the database and storage layer, provided by our managed infrastructure. |
| Sensitive fields | Integration credentials, OAuth tokens, and MFA secrets are additionally encrypted at the application layer with AES-256-GCM (authenticated encryption) using a per-deployment key, so they are never stored as readable plaintext even inside the database. |
| Secrets | API keys and signing secrets are stored as environment secrets in the platform vault, never in source control. |
Authentication & access
User authentication
Passwords are hashed with bcrypt and never stored or logged in plaintext. Sessions are issued as signed JWTs with server-side validation on every request. Kavanah supports:
- Single sign-on (SSO) via SAML 2.0 and OIDC for enterprise identity providers.
- Multi-factor authentication (MFA) with TOTP authenticator apps.
- OAuth sign-in with Google, GitHub, and other supported providers.
Authorization
Access within a workspace is governed by role-based permissions (owner, admin, member, and client-portal roles). Administrative and AI-agent capabilities are further constrained by granular permission scopes, so an account — human or automated — can only reach the surfaces it is explicitly granted.
Tenant isolation
Kavanah is a multi-tenant application in which every customer's data lives under a workspace boundary. Every workspace-scoped database query is required to filter by workspace_id. This is not left to reviewer discipline: a continuous-integration linter scans the codebase on every change and fails the build if a query against a workspace-scoped table is missing its tenant filter. Any exception must be explicitly allow-listed with a written justification. This control has already caught and closed real cross-tenant issues before release.
Auditability & monitoring
- Immutable audit logs. Security-relevant read, write, and administrative actions are recorded to an append-only audit log whose immutability is enforced by database triggers, with configurable retention (7+ years) to satisfy long-tail compliance requirements.
- Health monitoring. Platform health and every scheduled background job are monitored through a dedicated health endpoint and cron-health registry that alerts on missed or failing jobs.
- Legal hold & eDiscovery. Deletion of specific users, projects, or workspaces can be frozen under litigation hold, with search and export across messages, tasks, and audit logs.
Resilience & continuity
Customer data is stored in a managed Postgres database with automated, continuous backups and point-in-time recovery. Restore procedures are documented in an operational runbook and exercised on a recurring restore drill — because a backup that has never been restored is not a backup. We are happy to share our target RPO/RTO commitments with enterprise customers under the SLA.
Secure development
- Version-controlled change management with peer review before merge.
- Automated CI on every change: type checking, unit tests, linting, SQL and tenant-scoping checks, and idempotent migration verification.
- Dependency and platform patching on a managed, continuously updated runtime.
- Least-privilege access to production systems, scoped to the engineers who require it.
Data privacy & subject rights
Workspace data is owned by the customer. Kavanah acts as a data processor and does not sell personal information. We support GDPR and CCPA data-subject requests — export or erasure of an individual's data — which workspace owners can initiate from Settings → Data Governance. A Data Processing Addendum (with Standard Contractual Clauses for international transfers) is available for customers who require one. See our Privacy Policy for full detail.
Kavanah embeds AI features. How customer data is (and is not) used by the underlying AI providers — including our no-training posture — is documented separately on the AI Transparency page.
Vulnerability reporting
We welcome reports from security researchers. If you believe you have found a vulnerability, email security@kavanah.ai with the details and steps to reproduce. We investigate all good-faith reports and will not pursue action against researchers who act responsibly and avoid privacy violations or service disruption.
Questions from a security, privacy, or procurement team? Email security@kavanah.ai. For SOC 2, penetration-test, or questionnaire artifacts shared under NDA, use the request forms on the Trust & Compliance page.