Security Overview

1. Authentication & Access Control

User accounts are authenticated via secure session-based credentials using NextAuth.js, backed by database-stored hashed passwords. Sessions are token-signed and expire automatically. Admin and workspace data is access-controlled per authenticated user identity.

2. Data Storage

All user data — including brand workspaces, report records, and scan histories — is stored in a managed relational database. Access to the database is restricted to our backend API layer. No direct public database access is permitted.

3. Payment Security

Nexvora GEO does not process, store, or transmit your card, UPI, or banking credentials directly. All payment flows are handled entirely by Razorpay Software Ltd., a PCI DSS compliant payment gateway. We receive only anonymized confirmation metadata (plan type, status, Razorpay order ID) after a successful transaction.

4. API Keys & Secrets

All sensitive API keys — including Razorpay secret keys, AI provider API keys, and database connection strings — are stored as server-side environment variables. They are never exposed to the client browser or included in frontend source code.

5. Data in Transit

All communications between your browser and our platform are encrypted over HTTPS (TLS). We enforce HTTPS across all production endpoints.

6. Responsible Disclosure

If you discover a potential security vulnerability in our platform, we encourage you to report it responsibly before public disclosure. Please contact us directly:

• Email: support@nexvora.dev — Subject: "Security Disclosure"

We will investigate all reports and aim to respond within 5 business days. We appreciate responsible security research.

7. Ongoing Improvements

Security is an ongoing commitment, not a checkbox. We continuously review our practices and update this page as our security posture evolves.