CEvident

Security

Last updated: 2026-03-07

1. Our Security Practices

CEvident takes the security of your data seriously. We implement the following measures to protect your information:

  • Encryption in transit: All data is transmitted over HTTPS/TLS
  • Encryption at rest: Data is encrypted at rest in our database
  • Authentication: Passwords are hashed using industry-standard algorithms (bcrypt/argon2)
  • Email verification: Required before account activation
  • Session management: Automatic session timeout for inactive users
  • Input validation: Server-side validation and sanitization of all user input
  • Rate limiting: Protection against brute-force and abuse
  • Access controls: Role-based access with strict user data isolation

2. Third-Party Security

We use trusted third-party providers that maintain their own security certifications:

  • Stripe: PCI DSS Level 1 compliant payment processing
  • Convex: SOC 2 compliant database and backend
  • Vercel: SOC 2 compliant hosting platform
  • Resend: Secure email delivery

3. Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us so we can address it promptly.

How to Report

Email security reports to support@cevident.io with the subject line "Security Vulnerability Report".

What to Include

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any suggested remediation

Our Commitment

  • Acknowledgment: We will acknowledge receipt within 48 hours
  • Assessment: We will investigate and provide an initial assessment within 5 business days
  • Resolution: We aim to resolve confirmed vulnerabilities within 90 days
  • No legal action: We will not pursue legal action against researchers who report in good faith and follow responsible disclosure practices

4. Scope

The following types of vulnerabilities are in scope:

  • Authentication and authorization flaws
  • Data exposure or leakage
  • Cross-site scripting (XSS)
  • SQL injection or NoSQL injection
  • Server-side request forgery (SSRF)
  • Cross-site request forgery (CSRF)
  • Insecure direct object references

Out of scope: Social engineering, physical attacks, denial of service, issues in third-party services, and vulnerabilities requiring physical access to a user's device.

5. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users by email without unreasonable delay and no later than 72 hours after discovery
  • Provide details about the nature of the breach, the categories of data affected, and our response actions
  • Notify the California Attorney General if the breach affects more than 500 California residents, as required by Cal. Civ. Code § 1798.82
  • Comply with all applicable state breach notification laws
  • Provide guidance on steps you can take to protect yourself

6. Contact

For security questions or to report a vulnerability: support@cevident.io