Security Practices
How Samvise protects your data and maintains security.
Security
Last Updated: January 30, 2026
At Samvise, security is foundational to everything we build. We implement industry-standard security practices to protect your data and ensure the integrity of our service.
Security Overview
| Area | Protection |
|---|---|
| Encryption | All data encrypted in transit (TLS 1.3) and at rest (AES-256) |
| Access Control | Row-level security ensures you only access your own data |
| Infrastructure | Hosted on SOC 2 compliant platforms (Vercel, Supabase) |
| Monitoring | Continuous monitoring and logging for security events |
Data Encryption
We use strong encryption to protect your data at every stage:
- In Transit: All connections use TLS 1.3 encryption. We enforce HTTPS across the entire application with HSTS (HTTP Strict Transport Security) enabled.
- At Rest: Database storage is encrypted using AES-256 encryption. Backups are also encrypted.
- OAuth Tokens: Google Calendar OAuth tokens are encrypted using AES-256 before storage and are never logged or exposed in plaintext.
- Secrets Management: API keys and sensitive credentials are stored in secure vault storage, separate from application data.
Access Control
We implement strict access controls to ensure data isolation:
- Row-Level Security (RLS): Every database query is automatically filtered to only return data belonging to the authenticated user. This is enforced at the database level, not just the application level.
- Authentication: We use Supabase Auth with secure session management. Sessions are validated on every request. Google sign-in is protected by your Google account's own security, including any two-step verification you have enabled there.
- Session Management: You can view and revoke active sessions from your account settings. Sessions expire automatically after periods of inactivity.
Infrastructure Security
Our infrastructure is built on trusted, security-focused platforms:
- Vercel: Application hosting with automatic DDoS protection, edge network security, and SOC 2 Type 2 compliance.
- Supabase: Database and authentication services with SOC 2 Type 2 compliance, automated backups, and point-in-time recovery.
- Google Cloud: Calendar integration via Google's secure OAuth 2.0 infrastructure.
Application Security
We follow security best practices in our application development:
- Content Security Policy (CSP): Strict CSP headers prevent XSS attacks by controlling which resources can be loaded.
- Input Validation: All user input is validated and sanitized to prevent injection attacks.
- CSRF Protection: Cross-site request forgery protection on all state-changing operations.
- Rate Limiting: API rate limiting prevents abuse and protects against brute-force attacks.
- Security Headers: We implement X-Frame-Options, X-Content-Type-Options, and other security headers to prevent common web attacks.
- Dependency Scanning: Regular automated scanning for vulnerabilities in third-party dependencies.
AI Provider Security
When using AI features, your data is handled securely:
- Minimal Data: We send only the minimum data necessary for AI processing (task titles, due dates, time requirements, and scheduling context).
- No Training: Your data is not used to train AI models. AI providers process requests in real-time without retention.
- File Sharing Consent: Attachments you add in chat are only shared with the AI provider after you grant explicit consent, which you can revoke in Settings.
Monitoring and Incident Response
We actively monitor our systems and have procedures in place for security incidents:
- Logging: Security-relevant events are logged with PII automatically redacted. Logs are retained for security analysis while respecting privacy.
- Audit Trail: Security-relevant account activity is tracked, and your active sessions are visible in your account settings.
- Alerting: Automated alerts for suspicious activity patterns and potential security issues.
- Incident Response: We have documented procedures for responding to security incidents, including notification protocols compliant with Washington State law.
Your Security Responsibilities
Security is a shared responsibility. We recommend:
- Use a strong, unique password for your account
- Enable multi-factor authentication when available
- Keep your Google account secure, as it's used for authentication
- Review your active sessions periodically and revoke any you don't recognize
- Log out from shared or public devices
- Report any suspicious activity to us immediately
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: security@samvise.io
- Response Time: We aim to acknowledge reports within 48 hours and provide updates as we investigate.
- Responsible Disclosure: Please allow us reasonable time to address issues before public disclosure.
We appreciate security researchers who help us keep Samvise secure.
Compliance
We are committed to maintaining high security standards:
- Google API Compliance: We adhere to Google API Services User Data Policy, including Limited Use requirements.
- Infrastructure Compliance: Our hosting providers (Vercel, Supabase) maintain SOC 2 Type 2 compliance.
- Data Protection: We implement technical measures aligned with GDPR and Washington State privacy requirements.
Contact
For security questions or concerns, contact us at:
Last updated: January 30, 2026