Security

Security at Kansov

Your product data is the foundation of your company's strategy. We take its protection seriously.

Last Updated: March 6, 2026

Security by design: Kansov is built with enterprise-grade security from the ground up — multi-tenant isolation, encrypted credentials, SSO, RBAC with 40+ permissions, and a BYOK model that keeps your AI keys under your control.

Security Overview

🔐

Encryption Everywhere

TLS 1.2+ in transit. Encryption at rest for all stored data. AES-256-GCM for API keys. bcrypt for password hashing.

🏢

Workspace Isolation

Strict multi-tenant architecture. Each workspace's data is logically separated with enforced access controls.

🔑

Enterprise Authentication

Local auth with bcrypt, OIDC (OpenID Connect), SAML 2.0 for SSO, and SCIM for automated user provisioning.

🛡️

Granular Permissions

Role-based access control with 40+ permissions. Workspace owners control who can access what.

🤖

BYOK for AI

Bring Your Own Key — your AI provider API key is encrypted with AES-256-GCM and never shared across workspaces.

📋

Audit Logging

Security-relevant operations are logged for accountability. Track who did what and when across your workspace.

Data Protection

Encryption

All data transmitted is encrypted using TLS 1.2+. Data at rest in Neon Postgres is encrypted. Sensitive credentials receive an additional layer of encryption using AES-256-GCM before storage.

Password Security

User passwords are hashed using bcrypt. We never store passwords in plain text. We recommend SSO via OIDC or SAML 2.0 as the primary authentication method for organizations.

Session Management

Kansov uses secure, HTTP-only session cookies stored server-side in PostgreSQL. Sessions expire after inactivity. We do not use client-side token storage (no JWT in localStorage).

Multi-Tenancy and Isolation

All database queries include workspace ID filtering enforced at the application layer. There is no cross-workspace data leakage by design. Each workspace's AI API key is encrypted separately.

Access Control

Kansov implements a three-layer permission model: Role-Based Access Control (40+ granular permissions across 5 built-in roles), Data-Level Permissions (items can be restricted to specific roles), and Ownership Controls (creators have elevated permissions on their own items).

Incident Response

In the event of a security incident, we will notify affected users no later than 72 hours after confirmed discovery. Notification will include the nature of the incident, data affected, steps taken, and recommended actions.

Responsible Disclosure

To report a security vulnerability: support@kansov.com with "Security Vulnerability" in the subject line. We will acknowledge receipt within 48 hours.

Contact