Last updated: May 10, 2026
Security Policy
Security is a core part of how we build and operate Agenvik. This page describes our security practices and how to report vulnerabilities responsibly.
1. Infrastructure Security
- All traffic is encrypted in transit using TLS 1.2 or higher
- API servers enforce strict CORS policies — only authorised origins are permitted
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are applied on all responses
- Rate limiting is applied globally to prevent abuse and brute-force attacks
- Database access is restricted to private network only — no public exposure
2. Data Protection
- Sensitive credentials (third-party access tokens) are encrypted at rest using AES-256-GCM before being stored in our database
- Passwords are never stored — authentication is handled by Clerk using industry-standard protocols
- Data is logically isolated per organisation — no cross-tenant data access is possible
- Your data is not used to train AI models — we use the OpenAI API under a Zero Data Retention agreement for inference only
3. Access Controls
- All API endpoints require authenticated JWT tokens issued by Clerk
- Every database query is scoped to the authenticated organisation ID — no query can access another tenant's data
- Admin-only endpoints are protected by a separate allowlist guard
- Internal team access to production systems follows the principle of least privilege
4. Webhook Security
All inbound webhooks from third-party platforms (Slack, Razorpay) are verified using HMAC-SHA256 signatures before any processing occurs. Requests with invalid or missing signatures are rejected immediately. Timestamp validation is applied where supported to prevent replay attacks.
5. Subprocessors
We rely on the following third-party services to operate Agenvik. Each is bound by a data processing agreement and their own security certifications.
| Provider | Purpose |
|---|---|
| OpenAI | AI inference (embeddings + chat completions) |
| Clerk | Authentication & organisation management |
| Razorpay | Payment processing |
| Resend | Transactional email |
| Sentry | Error monitoring (PII collection disabled) |
| PostgreSQL (self-hosted) | Primary database |
| Redis (self-hosted) | Queue & cache |
6. Incident Response
In the event of a confirmed security incident affecting customer data, we will notify affected customers within 72 hours of becoming aware of the breach, in line with GDPR requirements. Notifications will be sent to the email address associated with your account and will include the nature of the incident, data affected, and steps being taken.
7. Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to us before disclosing it publicly.
- Email: security@agenvik.com
- Include a clear description and steps to reproduce
- Give us reasonable time to investigate and remediate before public disclosure
- Do not access, modify, or delete data belonging to other users
We will acknowledge your report within 2 business days and keep you updated on our progress. We do not pursue legal action against researchers who act in good faith.
8. Contact
For security-related matters:
For general enquiries: