Security
Your data is safe.
Here is how we protect it.
Security is built into every layer of Adiuvo — from how you log in, to how we store your data, to how we process payments. Nothing is an afterthought.
How we protect you
Security at every layer.
Authentication
- Every login requires a one-time passcode sent to your email. This is a second layer of security on top of your password.
- Your login tokens are stored in HttpOnly cookies. JavaScript on the page cannot read them. This stops most token-theft attacks.
- Tokens rotate automatically. Every time your session refreshes, the old token is blacklisted and a new one is created.
- Five failed login attempts in five minutes locks the account for five minutes. This stops brute-force attacks.
Data encryption
- All data in transit is encrypted with TLS. We enforce HTTPS across every page and every API call.
- Sensitive data at rest — like saved credentials in ProjectLocker — is encrypted with Fernet (AES-128-CBC + HMAC).
- We never store raw payment card data. All card processing is handled by Stripe, which is PCI Level 1 certified.
- HTTP Strict Transport Security (HSTS) is enabled with a one-year duration. Browsers are forced to use HTTPS, even if you type http://.
Access control
- We use role-based access control (RBAC). Each user has a role. Each role has specific permissions. You only see what your role allows.
- Admin actions like impersonation are fully audited. Every request during an impersonation session is logged with the admin's identity, IP, and timestamp.
- Feature-level permissions control access to individual tools. If your plan does not include a feature, the API blocks it — not just the UI.
- API tokens use SHA-256 hashing. The raw token is shown once at creation and never stored. Even we cannot retrieve it.
Threat detection
- Our Threat Guard system scans all user-uploaded content through multiple tiers: pattern matching, YARA malware rules, and ClamAV antivirus.
- Known malware families — crypto miners, card skimmers, keyloggers — are detected and blocked before they can reach your site.
- Every scan result is recorded. Our team can review findings, false positives, and severity levels in the admin dashboard.
- Content Security Policy (CSP) headers restrict what scripts can run, preventing cross-site scripting (XSS) attacks.
Infrastructure
- Clickjacking protection is built in. We set X-Frame-Options to DENY so no one can embed our pages in an iframe.
- MIME-type sniffing is disabled. Browsers cannot override our declared content types, which prevents certain injection attacks.
- Rate limiting protects every endpoint. Login, registration, OTP, and password reset each have their own limits.
- Known security scanners and bots are filtered out of logs. This reduces noise and helps us focus on real threats.
Payment security
- We never see or store your credit card number. Stripe handles all card processing. Stripe is PCI DSS Level 1 certified — the highest level.
- Stripe webhook events are verified with a cryptographic signature. This ensures payment notifications come from Stripe and not an attacker.
- Duplicate webhook events are automatically detected and skipped. This prevents double charges or duplicate subscriptions.
- All prices and transactions are processed in Canadian dollars (CAD). What you see is what you pay.
Privacy & compliance
We respect your privacy.
We follow Canadian privacy law and build our products with privacy in mind from the start — not as a checkbox after the fact.
Privacy by design
We collect only the data we need to run your account and deliver our products. Error tracking is configured to never send personally identifiable information (PII). Sentry catches bugs, not your data.
Consent and transparency
We track when you accept our terms, which version you accepted, and your IP at the time. If we update our terms, you will be asked to accept the new version before continuing. This follows PIPEDA and CASL requirements.
Account protection
We block sign-ups from known disposable email providers. Login and password reset pages never reveal whether an email address exists in our system. This stops attackers from guessing which emails are registered.
Common questions
Quick answers about security.
Do you store my credit card number?
No. We never see or store card numbers. All payment processing is handled by Stripe. Stripe is PCI DSS Level 1 certified.
Is my data encrypted?
Yes. Data in transit is encrypted with TLS. Sensitive data at rest — like saved credentials — is encrypted with AES-128. Passwords are hashed and never stored in plain text.
What happens if someone tries to break into my account?
After five failed login attempts in five minutes, the account is locked for five minutes. Every login attempt is logged with the IP address and timestamp.
Can Adiuvo staff access my account?
Only authorized admins can impersonate a user account, and only with a stated reason. Every action taken during impersonation is logged and auditable — including the admin's identity, IP address, and each request made.
How do I report a security issue?
Email [email protected] with details of the issue. We take every report seriously and will respond as quickly as possible.
Do you comply with Canadian privacy law?
Yes. We follow PIPEDA and CASL requirements. We capture consent with timestamps and IP addresses. We version our terms so you always know what you agreed to.
Found a security issue?
If you find a vulnerability in any Adiuvo product, please report it responsibly. Email us at [email protected] with details. We take every report seriously and will respond quickly.
Please do not publicly disclose the issue until we have had a chance to investigate and fix it.
Questions?
Have a security question?
Our team is happy to answer any questions about how we protect your data. Reach out any time.
Contact us