Data Security

All traffic between your browser and our servers is encrypted with TLS 1.3 using Let's Encrypt. Subdomains and API endpoints are not reachable via HTTP.

Uploaded files are stored on Vultr Singapore S3 with automatic disk encryption. PostgreSQL runs on encrypted volumes. Daily backups are also encrypted.

Passwords are hashed with bcrypt (cost 10). Sessions use JWT HS256 with periodically rotated signing keys, stored as an HTTP-only cookie (30 days). No password is ever stored in plaintext.

Files are only accessible via presigned S3 URLs valid for 24 hours. Every request is authorized: the user must be a workspace member, or present a valid guest share-link token.

Each workspace has a unique UUID used as an S3 key prefix (`workspace-{uuid}/docs/...`) and row-level isolation in the database. Members of other workspaces cannot access files outside their own.

Comments and content are only sent to the Claude API when you explicitly click "Summarize" or "Draft AI". Data flows through the XessOne AI Gateway (internal server) to Anthropic. Anthropic explicitly does NOT train on API data (vendor policy).

Access logs are audited for anomaly detection. Logs store IP, endpoint, status, and timestamp — no request content or unnecessary PII. Technical logs are rotated automatically after 90 days.

The database is backed up automatically every 24 hours to a separate volume. RTO (Recovery Time Objective) is 4 hours; RPO (Recovery Point Objective) is 24 hours. We rehearse recovery periodically.

If a data breach affecting you occurs, we will notify you by email within 72 hours of detection and confirmation, including impact details and mitigation steps.

If you find a security flaw, please report it to hello@viscollab.com with subject "Security". We appreciate responsible disclosure and respond within 48 hours.