Security & Trust

All sensitive credentials (OAuth tokens, webhook secrets) and customer PII (phone numbers, names, email addresses, delivery addresses) are encrypted using AES-256-GCM at the application level before storage. Encryption keys are managed through secure environment variables and never stored in the database.

• Database encryption: All customer data in our PostgreSQL databases is encrypted at the storage level
• Application-level encryption: OAuth tokens and customer PII are individually encrypted using AES-256-GCM before being written to the database
• File storage: Uploaded documents, menus, and knowledge base files are encrypted before storage
• Backups: All database backups are encrypted using the same standards

All data transmitted between your browser and our servers is protected using TLS 1.2 or higher encryption protocols.

• HTTPS everywhere: All connections to our platform are encrypted with TLS certificates
• API encryption: All API calls to Google Business Profile, KitchenHub, and Square are encrypted using TLS 1.2+
• Voice data: Real-time voice streams are encrypted end-to-end through our voice AI provider
• Certificate management: We use automated certificate rotation and monitoring

Nirvah AI employs strict logical separation of customer data. Restaurant data from Google Business Profile, Square POS, and KitchenHub is isolated at the database level using Row Level Security (RLS). Cross-tenant data access is architecturally impossible.

• Row Level Security (RLS): Database-level policies ensure that queries can only access data belonging to your organization
• Tenant isolation:Each customer's data is logically separated with unique identifiers tied to the restaurant entity
• Compliance logging: Compliance actions are logged with full audit trails
• Periodic reviews: We conduct periodic security reviews and dependency updates

We implement multiple layers of access control to protect your account:

• Secure authentication: Powered by Supabase Auth with support for email/password and Google OAuth
• Session management: httpOnly, secure cookies with SameSite protection against cross-site attacks
• Role-based access: Different permission levels for owners, managers, and staff
• Admin verification: Additional verification codes required for administrative access
• Token encryption: Integration tokens are encrypted at the application level using AES-256-GCM before database storage

We enforce strict boundaries on how customer data is processed by AI systems:

• Receipt OCR: Receipt images processed via OpenAI Vision are used for transient OCR only and are not used to train global models
• Voice transcription:Voice transcriptions via Deepgram/LiveKit are encrypted and stored only for the duration required by the restaurant's retention policy
• Zero-training guarantee:No customer data is used to train third-party AI providers' public foundation models. All AI inference uses enterprise API access with zero-retention terms

We carefully vet all third-party vendors and require them to meet our security standards:

We maintain a comprehensive incident response plan to quickly address any security events:

• 24/7 monitoring: Automated alerting for suspicious activities and system anomalies
• Rapid response: Defined procedures for containment, investigation, and remediation
• Customer notification: Timely communication if your data is affected by any security incident
• Post-incident review: Root cause analysis and improvements after every incident

We design our systems to meet or exceed industry compliance requirements:

We retain data only as long as necessary for the services we provide. Below are our standard retention periods:

If you discover a security vulnerability or have security-related questions, please contact us immediately:

We take all security reports seriously and will respond within 24 hours.