Security
Last Updated: April 4, 2026
Our Approach
Security is built into Chasivo from the architecture level, not added as an afterthought. We handle sensitive financial data — invoice amounts, payment records, customer information, and email content — and we treat every piece of it with the care it deserves.
Infrastructure
| Measure | Detail |
|---|---|
| Hosting | Railway (application), Supabase (database), both on AWS infrastructure |
| Region | Primary database in AWS us-east-1. Website hosted on Hostinger (EU — Lithuania/Netherlands) |
| Encryption in transit | TLS 1.2+ enforced on all connections. HSTS enabled |
| Encryption at rest | AES-256 encryption on all stored data |
| Backups | Automated daily backups via Supabase with point-in-time recovery |
Application Security
| Measure | Detail |
|---|---|
| Authentication | Supabase Auth with magic links and Google OAuth. No passwords stored by Chasivo |
| Multi-tenant isolation | Row-Level Security (RLS) on every database table. Users can only access their own data. Automated cross-tenant testing validates isolation |
| API protection | Every API route is protected by guardRoute() — authentication, CORS allowlist, rate limiting, and request body size validation |
| Rate limiting | Upstash Redis-based rate limiting on all API endpoints. Graceful degradation if Redis is unavailable |
| Input validation | Zod schema validation on all API route inputs |
| XSS protection | DOMPurify sanitization on all user-generated content |
| CORS | Hardcoded allowlist: app.chasivo.com, hq.chasivo.com, localhost:3000 (development only) |
| Security headers | Content Security Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Permissions-Policy, Referrer-Policy |
AI Security
| Measure | Detail |
|---|---|
| PII sanitization | All data is processed through sanitizeForAI() before being sent to AI models. Email addresses, phone numbers, and other identifiers are stripped |
| Output validation | AI model responses are validated through validateAIOutput() before storage or display |
| No model training | Neither Anthropic nor Google use your data to train their AI models. Contractually guaranteed |
| Human oversight | Three modes (Manual, Copilot, Autopilot) ensure you control the level of AI autonomy |
Email Integration Security
| Measure | Detail |
|---|---|
| OAuth 2.0 | Gmail integration uses OAuth — we never see or store your email password |
| Token encryption | OAuth refresh and access tokens are encrypted in Supabase Vault |
| Scoped permissions | We request only gmail.readonly and gmail.send — the minimum scopes needed |
| Revocable | You can disconnect your email at any time from Settings |
| Google compliance | We adhere to the Google API Services User Data Policy, including Limited Use requirements |
Payment Security
| Measure | Detail |
|---|---|
| PCI compliance | All card processing is handled by Stripe. Chasivo never sees, stores, or transmits credit card numbers |
| Billing portal | Subscription management is handled through Stripe’s hosted billing portal |
Data Protection
| Measure | Detail |
|---|---|
| Secret management | All API keys and secrets are stored as environment variables, never in client-side code. Build-time checks (check-env-safety.mjs) prevent accidental exposure |
| Environment isolation | Client-safe variables (NEXT_PUBLIC_*) are separated from server-only secrets. Server-only modules cannot be imported in client components |
| Audit logging | Sensitive operations (OAuth token creation/revocation, account deletion, security events) are logged |
| Soft delete | Account deletion triggers a 90-day recovery window before permanent deletion |
Responsible Disclosure
If you discover a security vulnerability in Chasivo, please report it to security@chasivo.com. We take all reports seriously and will respond within 48 hours.
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
Questions
For security-related questions, contact security@chasivo.com.
For privacy and data protection questions, see our Privacy Policy or contact privacy@chasivo.com.
This page was last updated on April 4, 2026.