Skip to main content

Security Overview

Security is foundational to QuivaWorks’ architecture. This comprehensive guide outlines the security features available to protect your account and data, along with best practices for maintaining a strong security posture.

Platform Security

QuivaWorks is built with enterprise-grade security from the ground up.

Compliance & Certifications

ISO 27001

Information security management system certified

SOC 2 Type II

Coming soon - Independent audit of security controls

GDPR Compliant

Full compliance with EU data protection regulations

PCI DSS

Payment card data security for billing
HIPAA compliance is available on Enterprise plans only. Contact us if you need to process protected health information.

Data Protection

AES-256 EncryptionAll data stored within QuivaWorks is encrypted at rest using industry-standard AES-256 encryption:
  • Agent configurations
  • Flow definitions
  • Conversation history
  • User data
  • API keys (hashed)
  • Backups
Enterprise customers can use customer-managed encryption keys (CMEK) for additional control.
TLS 1.3All data transmitted to and from QuivaWorks is protected using TLS 1.3:
  • Web console access (HTTPS)
  • API requests
  • Agent communications
  • Webhook calls
  • File uploads
We do not support older, insecure protocols like SSL or TLS 1.0/1.1.
Geographic ControlChoose where your data is processed and stored:
  • EU - European Union data centers (GDPR compliant)
  • US - United States data centers
  • Australia - Sydney data center
Configure during account creation or modify in Account Management → Mesh. Your selection determines compliance with regional data protection laws.
Multi-Tenant SecurityEach account’s data is logically isolated:
  • Separate databases per account
  • Network segmentation
  • Access controls between tenants
  • No data sharing between accounts
Enterprise plans can opt for dedicated infrastructure for complete physical isolation.

Infrastructure Security

QuivaWorks’ proprietary multi-cloud mesh architecture provides resilience and security:

Redundancy

Minimum 3 servers per account with automatic failover

Backups

Continuous replication across mesh nodes

DDoS Protection

Built-in protection against distributed attacks

Account Security Features

Multi-Factor Authentication (MFA)

MFA is strongly recommended for all users and required for Admin and Root roles.
QuivaWorks supports two MFA methods:

Session Management

Control and monitor access to your account:
  • Session Lifetimes: 1-hour access tokens, 24-hour refresh tokens
  • Multi-Device Support: Track all active sessions
  • Remote Termination: Log out from any device remotely
  • Activity Monitoring: See device, browser, location, and IP for each session
Learn more about sessions →

API Key Security

Secure programmatic access with best practices:
  • User-Scoped: Keys inherit creator’s permissions
  • 3-Month Expiration: Automatic key rotation requirement
  • Instant Revocation: Delete compromised keys immediately
  • Environment Variables: Never hardcode in applications
Manage API keys →

Security Best Practices

For All Users

Password Requirements:
  • Minimum 8 characters (12+ recommended)
  • Uppercase and lowercase letters
  • Numbers and special characters
  • Unique to QuivaWorks (never reuse)
Best Practices:
  • Use a password manager (1Password, LastPass, Bitwarden)
  • Enable the password generator
  • Store securely, never in email or notes
  • Change immediately if compromised
Set up multi-factor authentication on your first login:
  1. Choose passkey (preferred) or authenticator app
  2. Complete the setup process
  3. Save recovery codes in a secure location
  4. Test login with MFA before closing setup
Never skip MFA setup - it’s your strongest defense against unauthorized access.
Recovery codes are your backup access method:Storage Options:
  • Password manager (best option)
  • Encrypted file on secure device
  • Physical safe or lockbox
  • Bank safe deposit box
Never store in:
  • Email
  • Cloud notes (Evernote, Google Keep)
  • Unencrypted files
  • Shared documents
Check active sessions at least monthly:
  1. Navigate to Settings → Sessions
  2. Verify all devices and locations
  3. Terminate unfamiliar sessions
  4. Report suspicious activity immediately
Look for:
  • Unfamiliar locations
  • Unknown devices
  • Unusual login times
  • IP addresses you don’t recognize
Maintain updated software for security patches:
  • Browser: Use latest version of Chrome, Firefox, Safari, or Edge
  • Operating System: Enable automatic security updates
  • Security Software: Use reputable antivirus/anti-malware

For Administrators

Make multi-factor authentication mandatory:
  • Critical: All Root and Admin users
  • Recommended: All Developer users
  • Required: Users accessing sensitive data
Monitor MFA adoption in user management and follow up with users who haven’t enabled it.
Assign minimum necessary permissions:
  • Root: Only for account owners (limit to 1-2 people)
  • Admin: Trusted team leads and IT staff
  • Developer: Technical team members
  • Monitor: View-only for stakeholders
  • Billing: Finance team only
Review roles quarterly and adjust as needed.
Monthly Reviews:
  • Active users and their roles
  • Active sessions across all users
  • API keys and their usage
  • Unusual resource activity
Quarterly Reviews:
  • User permission levels
  • Security policy compliance
  • Incident response procedures
  • Security training effectiveness
When users leave your organization:
  1. Immediately: Suspend their account
  2. Within 1 hour: Terminate all their sessions
  3. Within 24 hours: Delete all their API keys
  4. Within 1 week: Transfer resource ownership if needed
  5. Final: Delete the user account
Document the process and maintain audit trail.
Educate team members on security:
  • Onboarding security training for new users
  • Quarterly security awareness updates
  • Phishing awareness and testing
  • Password and MFA best practices
  • Incident reporting procedures
Make security everyone’s responsibility.

For Developers

Never expose API keys in code:Do:
# Use environment variables
export QUIVA_API_KEY="your-key"
Don’t:
// Never hardcode keys
const apiKey = "ms_1234567890"; // BAD
  • Use environment variables or secret managers
  • Add .env to .gitignore
  • Rotate keys every 3 months
  • Delete unused keys immediately
API key best practices →
Prevent information leakage through errors:
try {
  // API call
} catch (error) {
  // Don't expose sensitive details
  console.error("API error occurred");
  // Log full error securely on server
  logger.error(error);
}
Never expose:
  • API keys in error messages
  • Stack traces to end users
  • Database query details
  • Internal system information
Always use encrypted connections:
  • Never use HTTP for API calls
  • Verify SSL certificates
  • Pin certificates in mobile apps
  • Use secure WebSocket connections (WSS)
// Always use HTTPS
const url = "https://api.quiva.ai/v1/agents";
Protect against injection attacks:
  • Validate all user input
  • Sanitize data before processing
  • Use parameterized queries
  • Implement rate limiting
  • Validate file uploads
Never trust client-side validation alone.

Security Notifications

QuivaWorks sends automatic email notifications for important security events:

Password Changed

Immediate notification when password is updated

Email Change Requested

Alert when email address change is initiated

Passkey Added

Notification when new passkey is registered

Security Codes Viewed

Alert when recovery codes are accessed

User Added

Notice when new user is invited to account

API Key Created

Coming soon - Notification for new API keys
If you receive a security notification for an action you didn’t perform, take immediate action by following our Incident Response Guide.

Vulnerability Management

Reporting Security Vulnerabilities

We appreciate responsible disclosure of security vulnerabilities.
If you discover a security issue:
  1. Do not publicly disclose the vulnerability
  2. Do not exploit the vulnerability
  3. Email [email protected] with:
    • Detailed description of the vulnerability
    • Steps to reproduce
    • Potential impact assessment
    • Your contact information
  4. Allow us reasonable time to address the issue
  5. Receive acknowledgment within 48 hours
We’re committed to:
  • Acknowledging reports within 48 hours
  • Providing regular updates on remediation progress
  • Crediting researchers (if desired) after fix is deployed
  • Addressing critical vulnerabilities within 24 hours

Our Security Practices

Regular Penetration Testing

Third-party security assessments conducted regularly

Automated Security Scanning

Continuous monitoring for vulnerabilities and threats

Security Patches

Critical vulnerabilities addressed within 24 hours

Security Training

Regular training for all development team members

Privacy and Data Handling

Data Collection

We collect only what’s necessary to provide our service: Account Information:
  • Email address and name
  • Company/organization details
  • Billing information (processed by Stripe)
Usage Information:
  • Login activity and sessions
  • API usage patterns
  • Resource creation and modifications
  • Performance metrics
We Never:
  • Sell your data to third parties
  • Use your data to train AI models
  • Share data between accounts
  • Access your data without permission (except for support requests you initiate)

Data Retention

Data is retained as long as your account is active:
  • Agent configurations
  • Flow definitions
  • Conversation history
  • User settings
  • Audit logs
When you close your account:
  • All data is permanently deleted within 30 days
  • Backup copies are removed from all systems
  • Billing records retained for legal requirements only (7 years)
  • No recovery possible after deletion
This fulfills your right to erasure under GDPR.
Free accounts inactive for 12+ months:
  • Email notification sent at 11 months
  • Account scheduled for deletion
  • 30-day grace period to log in and prevent deletion
  • All data deleted after grace period

Your Rights (GDPR)

Right to Access

Request a copy of your personal data at any time

Right to Rectification

Update or correct your information in account settings

Right to Erasure

Delete your account and all associated data

Right to Data Portability

Export your data (available via buckets)
To exercise your rights, contact [email protected].

Compliance Resources

Privacy Policy

Complete privacy policy and data handling practices

Terms of Service

Legal terms and service agreement

Security Whitepaper

Technical security architecture details (coming soon)

Compliance Docs

Certification documents and audit reports (coming soon)

Security Checklist

Use this checklist to maintain strong account security:

Initial Setup

  • Enable MFA (passkey or authenticator app)
  • Save recovery codes in secure location
  • Set strong, unique password
  • Configure account regions for compliance
  • Review default security settings

Weekly

  • Review any security notification emails
  • Check for unfamiliar sessions when logging in
  • Report suspicious activity immediately

Monthly

  • Review all active sessions
  • Audit active API keys
  • Check for unused user accounts
  • Review resource changes and activity
  • Verify billing activity

Quarterly

  • Review all user roles and permissions
  • Rotate API keys
  • Conduct security audit
  • Update security documentation
  • Provide security training to team

Annually

  • Review and update security policies
  • Test incident response procedures
  • Evaluate compliance requirements
  • Assess need for additional security controls

Getting Help

Security Issues

[email protected]Report vulnerabilities and incidents

Privacy Questions

[email protected]GDPR requests and data privacy

General Support

Get help with account and technical issues

Next Steps

Set Up MFA

Enable multi-factor authentication now

Manage API Keys

Secure your programmatic access

Monitor Sessions

Track and control active logins

Incident Response

Know what to do if compromised