Skip to Content
SecuritySecurity

Security

Security layers architecture

Security in BiVelio follows a Zero Trust model with four defense layers. Every component of the system operates on the principle of least privilege, and every operation is logged for auditing purposes.

Core principles

PrincipleImplementation
Zero TrustEvery request is authenticated and authorized, without exception
Least privilegeEach component accesses only the data it needs
Defense in depth4 independent security layers
Full auditabilityEvery operation is recorded with traceability

Security layers

Layer 1 — Core control (database)

  • Row Level Security (RLS) — isolation by organization_id on all tables
  • Every query is automatically filtered by the authenticated user’s organization
  • Impossible to access data from another workspace, even in the event of code errors

Layer 2 — Orchestrator validation

  • Edge Functions validate the user’s JWT or service role key on every request
  • The org_id is extracted from the token and injected into all queries
  • Constant-time key comparison to prevent timing attacks

Layer 3 — Isolated execution

  • AI agents operate in a sandbox without direct database access
  • Workflows execute each node with scoped permissions
  • MCP integrations operate with minimal credentials per provider

Layer 4 — Interface and authentication

  • Authentication via Supabase Auth (JWT)
  • RBAC with 3 roles: Super Admin, Process Admin, Operator
  • Sessions with configurable expiration
  • No plain-text password storage

Encryption

Data in transit

  • TLS required for all communications
  • HTTPS enforced on app.bivelio.com and all Edge Functions
  • Certificates managed automatically

Data at rest

  • MCP integration credentials encrypted with AES-256-GCM
  • OAuth tokens (Google, WhatsApp) encrypted with the same standard
  • Key derivation via PBKDF2 with 100,000 iterations
  • Storage format: enc:v1:<base64> (versioned for future rotation)
  • Server secrets stored with 0600 permissions (root only)

Encryption keys are never stored alongside the encrypted data. Key rotation is possible thanks to the version prefix in the storage format.

Multi-tenant isolation

BiVelio is multi-tenant by design. Isolation is guaranteed at the database level:

  • Every relevant table includes organization_id as a partition column
  • RLS policies active on all tables with tenant data
  • Indexes optimized for filtering by organization
  • Edge Functions always inject the org_id from the authenticated token
  • No endpoint returns cross-tenant data

RBAC — Role-based access control

RolePermissions
Super AdminFull access: configuration, users, billing, integrations
Process AdminProcess management, cases, workflows, and agents
OperatorDay-to-day operations: support, assigned cases, tasks

Permissions are enforced both on the frontend (UI visibility) and on the backend (RLS policies and Edge Function validation).

Compliance

GDPR (General Data Protection Regulation)

  • Data stored in the EU
  • DPA (Data Processing Agreement) signed with infrastructure providers
  • Right of access, rectification, and erasure implemented
  • Consent log and legal basis per operation

LQPD / APDA (Andorran framework)

BiVelio complies with the Llei Qualificada de Protecció de Dades of Andorra:

  • Data residency compatible with the Andorran framework
  • Technical and organizational measures (TOM) documented
  • Classification of personal data by category

Personal data processed

CategoryExamples
Master dataName, email, phone, address
Communication dataMessages, emails, calls
Contractual dataCases, invoices, services
Log dataAccesses, operations, timestamps
Payment dataManaged by Stripe (PCI DSS)

Mandatory human-in-the-loop

Certain critical operations require explicit human confirmation:

  • Payments and financial transactions
  • Data deletion
  • Changes to critical workspace configuration
  • Mass communications
  • Deploying changes to production

No AI agent or automation can execute these operations without explicit approval from an administrator.

Infrastructure

  • Edge Functions — Supabase (Deno runtime, per-request isolation)
  • Database — PostgreSQL with native RLS
  • Frontend — Vercel (global CDN, automatic HTTPS)
  • VPS (Fernando) — Hetzner (EU), UFW active, SSH key-only, automatic backups
  • Payments — Stripe (PCI DSS Level 1)
Last updated on
Plans & PricingAPI Reference