Security

How we secure your data

Security practices that protect your account, your business data, and your QuickBooks Online connection.

OAuth-based QuickBooks Online access

Samurvi never asks for or stores your QuickBooks Online username or password. Connecting your account uses Intuit's OAuth 2.0 authorization flow: you sign in and approve access directly with Intuit, and Intuit issues Samurvi a limited, revocable access token scoped to the data you authorize. You can revoke this access at any time from Samurvi's settings or from your Intuit account's connected-apps page, which immediately stops any further data access.

Encryption in transit and at rest

All traffic to and from Samurvi is encrypted using HTTPS/TLS, including the QuickBooks Online OAuth flow and API calls. Sensitive data, including authentication tokens, is encrypted at rest in our databases.

Authentication and session security

User passwords are hashed using industry-standard, salted hashing algorithms — we never store plain-text passwords. Sessions are managed with short-lived, HTTP-only authentication cookies, which are inaccessible to client-side scripts and help protect against common web attacks such as cross-site scripting.

Access control

Samurvi uses role-based access control within each account (owner, admin, instructor, and viewer roles), so users only see the data appropriate to their role. Internally, access to production systems, databases, and customer data is restricted to authorized personnel on a least-privilege, need-to-know basis.

Secrets management

API keys, OAuth client secrets, database credentials, and other sensitive configuration are stored using environment isolation and secrets management practices, kept out of source control, and accessible only to the services that require them.

Responsible disclosure

If you believe you have found a security vulnerability in Samurvi, please report it to us at admin@samurvi.com. Please include enough detail for us to reproduce the issue, and avoid accessing, modifying, or deleting data that is not your own. We will acknowledge reports within a reasonable timeframe and ask that you give us a reasonable opportunity to investigate and address any issue before disclosing it publicly. We will not pursue legal action against researchers who make a good-faith effort to comply with this policy.

Certifications

Samurvi currently applies the practices described above but has not obtained formal third-party security certifications such as SOC 2, HIPAA, or ISO 27001. We do not claim any such certification today. As the business grows, we intend to pursue formal audits and certifications appropriate to our customers' needs.