Security
Last updated: May 2026
The security of your operational and financial data is a top priority. Here is what we have in place to protect your workspace.
Secure Authentication
Kolvexa uses Clerk for authentication, offering hashed passwords, multi-factor authentication (MFA), and social login via approved providers.
Encryption in Transit
All communication between your browser and our servers is encrypted via TLS 1.2+. No data is transmitted in plaintext.
Payment Security
Payments are processed exclusively by Stripe, a PCI DSS Level 1 certified provider. Kolvexa never stores card numbers or banking data.
Workspace Isolation
Each organization on Kolvexa is strictly isolated. One workspace's data is never accessible to members of another organization.
Infrastructure
Kolvexa relies on Supabase (hosted PostgreSQL) for data storage, with automatic backups, encryption at rest, and strict database-level access controls.
Administrative access to production infrastructure is restricted, key-controlled, and requires multi-factor authentication.
Data Retention and Deletion
When an account is deleted or a subscription expires without renewal:
- The workspace enters read-only mode for 90 days
- Data is permanently deleted at the end of this period
- Data deletions are permanent and cannot be reversed
- Export tools (Enterprise plan) allow you to download data before deletion
What We Don't Do
- We do not sell your data to third parties
- We do not store payment card data (Stripe handles this)
- We do not access your workspace without your explicit consent
- We do not claim compliance certifications we have not obtained
Responsible Disclosure
If you discover a security vulnerability in Kolvexa, we encourage responsible disclosure. Please contact us before any public disclosure so we can address the issue promptly.
We commit to taking reports seriously and keeping you informed of progress.
Report a vulnerability: security@kolvexa.com
Security Contact
For any security-related questions: