Security Overview

How we protect your team's data

SMVue takes the security of your team's data seriously. Our platform is built on Google Cloud Platform using managed services with defense-in-depth strategies including field-level encryption, multi-factor authentication for administrative access, comprehensive audit logging, AI-specific security controls, and automated security scanning throughout our development pipeline.

Data Protection

Encryption at Rest

All data is encrypted at rest using Google-managed AES-256 encryption at the storage level. Beyond that, sensitive data is encrypted a second time at the application level before storage using AES-128 (Fernet) encryption with separate key domains:

CRM tokens — encrypted independently from business data
Coaching notes and meeting insights — dedicated encryption key
AI-generated content — dedicated encryption key
Meeting transcripts — dedicated encryption key
File attachments — stored in private cloud storage with time-limited signed URL access

Key rotation is supported without downtime via MultiFernet, which transparently decrypts data encrypted under previous keys while re-encrypting under the current key.

Encryption keys are stored in Google Secret Manager with IAM-scoped access controls. No encryption keys exist in source code, environment variables, or configuration files.

Encryption in Transit

All data transmitted between your browser and our servers is protected by TLS 1.2 or higher.

TLS 1.2+ enforced at the load balancer level with modern cipher suites
HTTP Strict Transport Security (HSTS) enabled with preload directive
Automatic HTTP to HTTPS redirection on all endpoints
All internal service communication encrypted (database SSL required, Redis TLS)

Authentication & Access Control

User Authentication

Password security — bcrypt hashing with cost factor 12; passwords require 12+ characters with uppercase, lowercase, and digit
Session management — secure, HttpOnly cookies that cannot be accessed by client-side scripts; tokens are never stored in localStorage
Brute-force protection — account lockout after 5 failed login attempts with exponential backoff
CSRF protection — double-submit cookie pattern on all state-changing requests
Token security — JWT with revocation support; refresh token family rotation detects token reuse and invalidates the entire family; PKCE for all OAuth flows
Breached password detection — passwords checked against the Have I Been Pwned database during signup and password changes

Administrative Controls

Administrative access to SMVue's internal systems requires additional security:

Multi-factor authentication — TOTP (time-based one-time password) required for all admin logins, with backup code support
IP allowlisting — admin access restricted to configured IP addresses in production
Impersonation audit trail — when support staff view a customer account for troubleshooting, sessions are time-limited, require a documented reason, and generate a complete audit trail

Role-Based Access Control

Access to your organization's data is strictly controlled:

Organization isolation — row-level isolation on all database tables ensures one organization can never access another's data
Seat-based visibility — Manager, Executive, and Rep seats each see only the data appropriate to their role
Enumeration prevention — unauthorized access returns 404 (not found) rather than 403 (forbidden) to prevent data discovery
Owner controls — only the organization Owner can assign seat types, manage billing, and invite/remove users

Network & Infrastructure Security

Cloud Platform

SMVue runs entirely on Google Cloud Platform (us-central1 region) using managed services:

Compute — Google Cloud Run with auto-scaling, zero-downtime deployments, and rollback capability
Database — Google Cloud SQL (PostgreSQL) with regional high availability and automated daily backups
Cache — Google Cloud Memorystore (Redis) with authentication and TLS encryption
Storage — Google Cloud Storage with signed URL access for file attachments
Secrets — Google Secret Manager for all production secrets; injected at runtime, never stored in code
Infrastructure as Code — all infrastructure defined in Terraform; reproducible and auditable

Web Application Firewall

Google Cloud Armor provides edge-level protection with OWASP ModSecurity Core Rule Set:

SQL injection protection (sqli-v33-stable)
Cross-site scripting protection (xss-v33-stable)
Local file inclusion protection (lfi-v33-stable)
Remote file inclusion protection (rfi-v33-stable)
Remote code execution protection (rce-v33-stable)
Edge rate limiting (supplements application-level rate limiting)

DNS & DDoS Protection

DNS is managed through Cloudflare, providing DDoS protection, traffic filtering, and performance optimization at the network edge.

Application Rate Limiting

Two layers of rate limiting protect against abuse:

Edge — Google Cloud Armor rate limiting at the load balancer
Application — SlowAPI + Redis rate limiting per endpoint, with fail-open behavior on Redis failure to prevent lockouts

Database Security

SSL required for all database connections
Automated daily backups with 7-day retention
Point-in-time recovery enabled with 7-day transaction log retention
pgAudit database audit logging with 2-year log retention
Database not accessible from the public internet

AI Security

Prompt Injection Defense

SMVue employs a 5-layer defense system to prevent prompt injection attacks:

Input sanitization — user-provided content is sanitized before inclusion in AI prompts
System prompt hardening — AI system prompts include explicit instructions to reject manipulation attempts
Output validation — AI responses are validated against expected formats and content boundaries
Context isolation — each organization's data is isolated in AI context; cross-organization data leakage is architecturally prevented
PII protection — shared prompt guardrails prevent AI from exposing or generating personally identifiable information

AI Data Processing

Primary AI provider — Anthropic (Claude) via LiteLLM abstraction layer
Embedding provider — OpenAI (for semantic search vectors)
Data retention — both Anthropic and OpenAI retain API data for up to 30 days for trust and safety monitoring, then delete it
No model training — your data is never used to train AI models by any provider
Token budget management — AI usage is monitored and budgeted to prevent runaway costs

AI Output Security

All AI-generated content (meeting prep, coaching insights, Sales Coach responses) passes through output validators that check for:

Hallucinated data or metrics not present in the source context
Inappropriate content or tone
Prompt injection artifacts in responses
PII leakage

Monitoring & Incident Response

Logging & Observability

Structured JSON logging with request correlation IDs across all services
PII minimization in logs — IP addresses hashed, email addresses masked
Comprehensive audit trail — all administrative actions capture who, what, when, and reason
Error monitoring — Sentry for real-time error tracking and alerting
Product analytics — PostHog for usage monitoring (with user consent)

Status Page

Real-time system status and uptime history are available at https://smvue.betteruptime.com.

Incident Response

In the event of a security incident:

Affected users notified within 72 hours
Relevant supervisory authorities notified as required by applicable law
Post-incident review conducted to prevent recurrence

Compliance & Data Privacy

GDPR

SMVue supports full GDPR compliance:

Article 17 (Right to Erasure) — 3-phase deletion process: anonymization of PII, removal of content data, and purge of audit references
Article 20 (Right to Portability) — full data export in machine-readable format
Data Processing Agreement (DPA) — available upon request, includes Standard Contractual Clauses for international data transfers
Data Protection Impact Assessment (DPIA) — completed and available upon request

CRM Data Handling

All CRM integrations (HubSpot, Salesforce, Pipedrive) use read-only OAuth access. SMVue never writes data back to your CRM. OAuth tokens are encrypted at rest with a dedicated key domain separate from business data.

Data Retention

Active accounts: data retained for the lifetime of the account
Cancelled accounts: data retained for 90 days post-suspension, then permanently deleted
Audit logs: retained for 2 years
Database backups: 7-day retention with point-in-time recovery
AI provider data: retained up to 30 days by providers, then deleted

Secure Development Practices

Security is integrated into every stage of our development workflow:

Static analysis (SAST) — Semgrep scans on every code change
Dependency scanning — Trivy scans for known vulnerabilities in all dependencies
Container scanning — Trivy scans Docker images before deployment
Infrastructure scanning — Trivy scans Terraform configuration for misconfigurations
Secret detection — Gitleaks scans in CI prevent accidental secret commits
Weekly security scans — scheduled scans catch newly disclosed vulnerabilities
No suppression policy — security warnings and linting errors are fixed at the source, never suppressed with ignore directives

Deployment Security

All deployments authenticated via Workload Identity Federation (no JSON key files)
Staging environment mirrors production for pre-deployment validation
Rollback capability in under 30 seconds
Database migrations are manual for production (automated for staging only)

Vulnerability Disclosure

We welcome responsible security researchers to report vulnerabilities. If you discover a security issue, please contact us at security@smvue.com. We commit to acknowledging reports within 48 hours and working with researchers to understand and address issues promptly.

Contact Us

For security questions, compliance documentation requests, or to report a vulnerability, please contact us at security@smvue.com.

SMVue, Inc. Delaware, United States