Craveva AI
Solutions/Security

Security & Compliance

Enterprise-grade security with multi-tenant isolation, encryption, role-based access control, and GDPR compliance. Privacy-first architecture.

Security Overview

Craveva AI is built with security and privacy as core principles. Our multi-layered security approach ensures complete data protection at every level - from authentication to data storage.

Security Layers

Rendering via Kroki...

Usually takes 1-2 seconds

Multi-Tenant Isolation

Complete data separation at the database level ensures no cross-tenant data access:

Database-Level Filtering

All queries automatically filtered by company_id at the database level

Complete Data Separation

Each company's data is completely isolated - no shared namespaces

Outlet-Level Isolation

Additional outlet_id filtering for outlet-specific data access

API Request Scoping

All API requests automatically scoped to user's company context

Encryption

At Rest

AES-256-GCM encryption for sensitive data stored in database

  • Sensitive credentials encrypted (API keys, database passwords)
  • Encryption key from ENCRYPTION_KEY environment variable (min 32 chars)
  • Never stored in plain text
  • Automatic encryption on save hooks

In Transit

HTTPS/TLS for all connections and API communications

  • SSL/TLS for MongoDB connections
  • HTTPS for all API calls
  • Certificate verification
  • Optional HTTPS enforcement via ENFORCE_HTTPS

Authentication & Authorization

Rendering via Kroki...

Usually takes 1-2 seconds

JWT Authentication

JWT-based authentication with access tokens and refresh token rotation

6 Role Levels

Master Admin (platform-wide), Super Admin (platform-wide), Admin (company-scoped), Project Manager (project-scoped), Team Lead (team-scoped), Member (agent-assigned only)

Principle of Least Privilege

Users get minimum access needed for their role with hierarchical RBAC

API Key Management

Secure API key generation, rotation, expiration, and encryption (AES-256-GCM)

Password Security

bcrypt password hashing with salt rounds and strength validation

Session Management

Secure session handling with JWT expiration and automatic timeout

Data Privacy

Tenant-Aware Queries

All database queries automatically include tenant isolation filters

Encrypted Credentials

Data source credentials encrypted using AES-256-GCM

Secure File Uploads

File uploads validated and stored securely with access controls

Data Minimization

Only collect and store data necessary for functionality

Network Security

HTTPS/TLS

All connections encrypted with SSL/TLS certificates

CORS Configuration

Controlled cross-origin access with whitelist support

Rate Limiting

Protection against abuse (10 req/hour public, 20 req/hour platform)

Helmet Security

Security headers middleware (XSS protection, content security policy)

Audit Logging

Complete action logging for security and compliance:

User Activity

All user actions logged with timestamps, user ID, and company context

API Calls

Complete API request/response logging with IP addresses and request paths

Data Access

Track all data access, queries, and tenant isolation enforcement

Authentication Events

Login, logout, token refresh, and password reset events

Agent Execution

Track all agent executions, queries, and responses

Deployment Events

Track agent deployments, configuration changes, and platform integrations

Compliance Ready

GDPR

  • Right to access data
  • Right to deletion
  • Data portability
  • Privacy by design

SOC 2 Ready

  • Access controls
  • Encryption standards
  • Monitoring systems
  • Incident response
← Back to Solutions← InfrastructureSecurity Best Practices →