Last updated · 3 June 2026

Security

A plain-English summary of how Infervo protects your data during its invite-only preview. For what data is shared with third-party AI providers, see the Privacy Policy.

Authentication

Sign-in is via Google OAuth — we never see or store your password. Access is invite-only: only email addresses on our allow-list can create an account.

Encryption

Traffic is served over HTTPS/TLS. Data-source connection credentials are encrypted at rest (Fernet — AES-128-CBC with an HMAC-SHA256 authentication tag) and decrypted only to run a query you initiate.

Database access is read-only

When the assistant queries a connected database, it runs inside a read-only transaction — it cannot modify your data. Use a least-privilege / read-only database role for defence in depth.

Tenant isolation

Every project and its data, files, and conversations are scoped to your organisation. Requests are authorised against your organisation on every access.

Infrastructure & the agent sandbox

Hosted on DigitalOcean; application services run in containers as a non-root user.
The AI agent’s tools run in a sandbox whose environment is scrubbed of secrets (API keys, encryption keys, database URLs), so a prompt cannot exfiltrate them.
The Docker socket is not mounted into application containers, and backend services are not exposed to the public internet.

Third-party providers

To generate answers, relevant data is processed by the AI and infrastructure sub-processors listed in our Privacy Policy. Please review that list before connecting sensitive data.

Responsible disclosure

Found a security issue? Please email hello@infervo.app with the details and we will respond promptly. Please do not publicly disclose until we have had a chance to fix it.

Preview status

Infervo is in active preview; our security posture is evolving and this page will be kept current. Some hardening (e.g. fully container-isolated agent sandboxing) is on the roadmap before general availability.