Security Overview
Last updated March 2026
Architecture
| Application | Vercel (serverless Next.js), US |
| Database | Neon PostgreSQL, US-East-1 (AWS) |
| Error monitoring | Sentry (PII disabled) |
| Resend (transactional only) | |
| AI | Anthropic Claude API |
All infrastructure runs on Vercel and AWS. No customer data is stored outside these providers.
Data Isolation (Multi-Tenancy)
Every database query is scoped by organization ID. No data is shared, aggregated, or visible between organizations. There is no global admin query or cross-org reporting capability.
A query that omits the organization scope returns zero results by design. Organization scoping is verified across all server action files and intelligence engines. Database indexes enforce organization ID as a leading key on all domain tables.
Authentication & Access Control
| Login | Email + password with bcrypt (12 salt rounds) |
| Sessions | JWT with 7-day expiry, membership verified per request |
| Login throttling | 10 attempts per 15 minutes per account |
| Registration throttling | 5 per 15 minutes per IP |
| Transport | HTTPS enforced — no HTTP fallback |
Roles
| Owner | All actions: settings, roles, member management, data export |
| Admin | Settings, SE management, sync triggers, data export |
| Member | Read-only dashboard access, SE-specific actions |
Roles are checked at the server action level before any database operation.
Integration Security
Evivant operates in read-only mode with all connected systems:
| Salesforce | OAuth scopes: api, refresh_token, offline_access — queries only |
| Google Calendar | OAuth scopes: calendar.readonly, calendar.events.readonly |
| Gong | API key (read scope) — call metadata only |
Evivant never creates, updates, or deletes records in any connected system. Your source-of-truth systems remain untouched.
Token Encryption
All OAuth tokens (access and refresh) are encrypted at rest before database storage:
| Algorithm | AES-256-GCM (authenticated encryption) |
| Key size | 256 bits |
| IV | 12 bytes, cryptographically random per operation |
| Auth tag | 16 bytes (prevents tampering) |
| Storage | Base64-encoded IV + ciphertext + auth tag |
Tokens are never logged, never exposed to the browser, and auto-refresh when they expire. If a refresh token is revoked, the sync fails with a clear error prompting reconnection.
Audit Trail
| Setting changes | Which setting, by whom, metadata |
| Data exports | Type (CSV/JSON/PDF), who initiated, record counts |
| Sync triggers | Manual triggers, user, result |
| User logins | Attempts (success/fail), session creation |
Audit entries cannot be modified or deleted. The log is retained for the lifetime of the organization and is viewable by Admins and Owners.
Data Export & Portability
Admins can export all organization data as JSON at any time from Settings. This includes opportunities, activities, scores, evaluations, and configuration. Pipeline data supports CSV export. Reports support PDF/print export. There is no vendor lock-in.
Error Handling
Sentry captures errors with 100% sampling rate. PII is disabled. Sensitive headers (authorization, tokens, cookies) are scrubbed from reports. Application logs scrub 21 sensitive key patterns before output.
Database Security
| Provider | Neon PostgreSQL (managed) |
| Connection | SSL/TLS required |
| ORM | Prisma — parameterized queries only, no raw SQL |
| SQL injection | Eliminated by exclusive use of ORM |
| Backups | Neon managed with point-in-time recovery |
Rate Limiting
| Login | 10 per 15 min (per account) |
| Registration | 5 per 15 min (per IP) |
| Manual sync | 3 per 5 min (per organization) |
| Data export | 5 per 5 min (per organization) |
Subprocessors
| Vercel | Application hosting — data in transit |
| Neon | Database hosting — all stored data |
| Sentry | Error monitoring — error context (no PII) |
| Resend | Email delivery — recipient, notification content |
| Anthropic | AI summaries — deal context (no credentials) |
Compliance Roadmap
| Multi-tenant isolation | Implemented |
| Token encryption (AES-256-GCM) | Implemented |
| HTTPS in transit | Enforced |
| Audit trail | Implemented |
| Full data export | Implemented |
| Read-only integrations | Architecture-level |
| GDPR-ready architecture | Implemented |
| SOC 2 Type II | Planned |
Contact
For security questions or to report a vulnerability: hello@evivant.io