Security
Security by design
User feedback is sensitive data. We take that seriously. Security controls are built into the platform from the ground up — not added as an afterthought.
SOC 2 readiness
Canviq is designed for SOC 2 Type II certification from day one. Audit logging, access controls, and MFA are built into the platform architecture — not bolted on later.
GDPR compliance
We operate under GDPR requirements. Users can export their data as JSON, delete their account with a 30-day grace period, and manage consent preferences at any time.
Encryption in transit and at rest
All traffic is encrypted via TLS. Data at rest is protected with AES-256 encryption via Supabase Pro infrastructure. Secrets are never logged.
Row-level security on all tables
Row-Level Security (RLS) is enabled on every database table. Users can only read and write their own data. Admin operations require team member verification.
Audit logging
Every security-relevant action is written to an append-only audit log. Logs are admin read-only and retained per SOC 2 requirements. Nothing is overwritten.
Dependency scanning
npm audit runs in CI on every pull request. GitHub Dependabot alerts are enabled. We treat dependency vulnerabilities as blocking defects.
Data classification
| Classification | Examples |
|---|---|
| Public | Submissions, comments, votes, roadmap status |
| Internal | Admin analytics, triage notes, assignments |
| Confidential | Email addresses, IP addresses, session tokens |
| Restricted | API keys, OAuth secrets, service role credentials |
Responsible disclosure
If you discover a security vulnerability in Canviq, please report it privately. We will acknowledge your report within 48 hours and work with you to resolve it before any public disclosure.
security@canviq.app