Security

ifivo processes three classes of data: (1) agent action metadata (vendor, action type, amount, risk score, metadata the customer chooses to send), (2) policy definitions, and (3) identity data for the humans approving or auditing actions.

ifivo is non-custodial: we never hold funds, API credentials for third-party vendors, or persistent secrets beyond the org API key the customer generates.

All traffic to www.ifivo.com and api.ifivo.com is served over TLS 1.2+.

Primary storage is Postgres on Neon, which encrypts data at rest using AES-256. Backups are encrypted with the same controls.

Production access is limited to named engineers, enforced by SSO with 2FA. Customer data access requires a documented support ticket and is logged. Org-level data is isolated by org_id in every query path.

Org API keys follow the format ifv_… and can be rotated at any time from settings. Future: per-environment (staging / production) keys and scoped tokens.

Security incidents follow a documented response plan: detect, contain, eradicate, recover, post-mortem. Customers affected by a confirmed incident are notified without undue delay and in any case within contractual timelines.

Current subprocessors:

• Vercel — hosting and edge delivery
• Neon — managed Postgres
• Cloudflare — DNS and TLS termination
• Resend / Postmark — transactional email (for approvals and magic links)
• Slack (optional, per-customer) — approval routing

• SOC 2 Type II — in progress (target: audit window beginning Q3 2026).
• ISO 27001 — planning stage; not yet in scope.
• GDPR / CCPA — see the Privacy page for data-subject rights.

Email security@ifivo.com. We will acknowledge within two business days. We do not currently operate a paid bug bounty, but we will publicly credit valid reports (with your permission).

Please do not test on other customers' data. A dedicated staging environment can be provided on request.