Built secure from day one
Bolsivo handles sensitive business data on your behalf. Here's exactly how we protect it — encryption, access control, compliance, and the unique human-approval model that ensures you stay in control of every message.
Encryption everywhere
All data is encrypted in transit and at rest. No exceptions.
- TLS 1.2+ enforced on every connection — no HTTP allowed.
- Database storage encrypted at rest (AES-256 via Supabase/AWS).
- API keys and secrets stored as environment variables, never in source code or logs.
- Stripe handles all payment data — Bolsivo never stores card numbers.
Data isolation by organization
Row-Level Security (RLS) ensures each account sees only its own data.
- Supabase Row-Level Security policies enforce ownership on every table.
- Service-role client used only for system operations; user context always validated server-side.
- Multi-tenant isolation: a misconfigured query can't expose another organization's leads.
- All API routes validate the authenticated session before any data access.
Authentication & access control
Secure, standards-based auth powered by Supabase Auth.
- Email/password with bcrypt hashing — Bolsivo never sees plaintext passwords.
- Short-lived JWT access tokens (1 hour) with automatic refresh.
- Session invalidation on logout flushes the refresh token server-side.
- Rate limiting on login and password-reset endpoints to prevent brute-force.
Human approval — built-in send control
No email leaves Bolsivo without your individual, explicit approval. This is not a setting.
- Every AI-generated draft is stored as "pending" — not queued for delivery.
- The Approve action is a deliberate, per-email user action in the Approvals panel.
- There is no auto-send mode, no scheduled auto-send, and no bulk-approve-all shortcut.
- Bolsivo's own servers cannot initiate outbound email — only an authenticated user approval triggers delivery.
CAN-SPAM & GDPR compliance
Legal compliance is built into the product, not bolted on after.
- CAN-SPAM: every email includes your business address and a working unsubscribe link.
- Suppression list: opt-outs are recorded immediately and permanently — that address is never contacted again.
- GDPR: one-click data export and account deletion available in Settings → Account.
- B2B only: Bolsivo targets registered businesses (Google Places), not individuals.
Infrastructure & reliability
Production infrastructure on established platforms with automatic redundancy.
- Hosted on Vercel (compute) + Supabase (database) — both SOC2 Type II certified.
- Database point-in-time recovery (PITR) with daily backups retained 30 days.
- Health check endpoint at /api/health continuously monitored.
- Zero-downtime deploys via Vercel's atomic deployment model.
Monitoring & incident response
Continuous observability with rapid response protocols.
- Structured server logs on every API route — never logging PII or secrets.
- Webhook signature verification on every inbound Stripe event (HMAC-SHA256).
- Stripe webhook idempotency via processed-event deduplication table.
- Critical errors trigger alerts; response SLA under 24 hours for security issues.
Vendor & supply chain security
Third-party vendors are evaluated for security posture before integration.
- Stripe (payments): PCI DSS Level 1 certified.
- Supabase (database/auth): SOC2 Type II certified.
- Resend / SendGrid (email delivery): follow CAN-SPAM and DMARC best practices.
- Retell AI (Luna voice): data processed per their BAA-eligible enterprise terms.
What's on the roadmap
We're building toward enterprise-grade certification. Here's what's coming:
- SOC2 Type II audit (in progress — target Q4 2026)
- HIPAA Business Associate Agreement (BAA) for healthcare customers
- SSO / SAML for enterprise plan
- Annual third-party penetration testing report (public summary)
Found a vulnerability?
We take security reports seriously. If you discover a potential security issue, please email us directly — we'll respond within 24 hours and credit responsible disclosures.
Report a vulnerabilityPlease include a description, reproduction steps, and potential impact. Do not publicly disclose before we've had a chance to resolve it.
Questions about security or compliance?