Senova
Back to home
Trust

Security at Senova

Last updated: July 1, 2026

Security is foundational to how we build Senova. This page summarizes the measures we take to protect your account, your data, and the applications you build. It complements our Privacy Policy.

Encryption in transit

All traffic to Senova is served over HTTPS/TLS. Data moving between your browser, our servers, and our providers is encrypted.

Tenant isolation

Project data is scoped to your account at the application layer: every record carries your tenant ID, every query filters on it, and each project's app data lives in its own isolated store. Changes are recorded in an append-only audit log.

Secure authentication

Passwords are stored using strong one-way hashing. Sessions use signed, HTTP-only cookies scoped to your account.

Least-privilege access

Access to production systems is restricted to authorized personnel on a need-to-know basis and logged.

1. Infrastructure

Senova runs on Fly.io infrastructure, which provides physically secured, access-controlled data centers and managed Postgres databases. Our application servers and databases run in isolated environments with network controls between them.

2. Data Protection

  • In transit: encrypted with TLS across all connections.
  • At rest: stored on managed infrastructure with provider-level disk encryption.
  • Isolation: application-layer tenant scoping (every record and query carries and filters on your tenant ID) limits blast radius.
  • Backups: databases are backed up so data can be recovered after an incident.

3. Application Security

  • Authentication with hashed credentials and signed, HTTP-only session cookies.
  • Input validation and safe rendering to reduce injection and XSS risk.
  • Rate limiting and abuse detection on sensitive endpoints.
  • Dependencies monitored and updated to address known vulnerabilities.

4. AI Provider Handling

Prompts and project context sent to our AI providers are transmitted over encrypted connections. Under our agreements, providers process your content to return output to Senova and do not use it to train their foundation models. See our Privacy Policy for the full list of subprocessors.

5. Your Responsibilities

Security is a shared responsibility. We recommend you use a strong, unique password, keep your credentials confidential, review AI-generated code before deploying it to production, and avoid putting secrets or sensitive credentials directly into prompts or generated files.

6. Reporting a Vulnerability

We welcome reports from security researchers. If you believe you have found a vulnerability, please email [email protected] with the subject line "Security" and a description of the issue and steps to reproduce. Please give us a reasonable opportunity to remediate before public disclosure, and do not access or modify data that is not yours, degrade the Service, or run automated scans that disrupt other users. We will acknowledge valid reports and work with you in good faith.

Report a security issue: [email protected] — subject "Security".

Terms of Service Privacy Policy Cookie Policy Acceptable Use DMCA Security
© 2026 Senova. All rights reserved.