Sentivel

Security

Last updated 27 June 2026

We build Sentivel to a high security bar: strict tenant isolation between workspaces, secrets encrypted at rest, hashed credentials and tokens, and outbound request validation. No system is perfect, so if you find a vulnerability we want to hear from you. This page is how to reach us and what to expect.

Reporting a vulnerability

Email security@sentivel.com. A machine-readable copy of this contact lives at /.well-known/security.txt (RFC 9116). To help us reproduce and fix quickly, please include:

  • A clear description of the issue and its impact.
  • Step-by-step instructions to reproduce it, with any request or response details, affected URLs, and account or workspace context.
  • Proof-of-concept code or screenshots where they help, and the date and time you observed it.

If a report contains sensitive details, say so and we will arrange an encrypted channel.

What we commit to

  • We will acknowledge your report within three business days, and give you a named point of contact.
  • We will keep you updated as we triage, confirm, and work on a fix, and we will tell you when it is resolved.
  • We will not pursue legal action against you for good-faith research that follows the guidelines below, and we will not pass your details to law enforcement for that research.
  • We will credit you if you would like to be named, once the issue is fixed. We do not run a paid bug-bounty programme yet, so there is no monetary reward at this stage, but we are genuinely grateful and will say so.

Guidelines for good-faith testing

Please:

  • Use only your own accounts and test data, and stop as soon as you have enough to demonstrate the issue.
  • Avoid anything that degrades the service for others: no denial-of-service, no automated high-volume scanning that risks our rate limits, and no spam to real users.
  • Do not access, modify, or exfiltrate data that is not yours. If you encounter someone else’s data, stop and report it.
  • Give us a reasonable time to fix an issue before disclosing it publicly, and coordinate the timing with us.

Scope

In scope

The Sentivel web application and its public API, our marketing and status-page surfaces, and our authentication, billing, and notification flows. When in doubt, ask before you test.

Out of scope

  • Reports from automated tools with no demonstrated impact, missing best-practice headers with no exploit, or theoretical issues without a working proof of concept.
  • Social engineering of our staff or customers, physical attacks, and anything affecting third-party services we rely on (report those to the provider).
  • Rate-limiting, volumetric, or denial-of-service findings.

How we protect the platform

We enforce tenant isolation in the application layer so one workspace can never read another’s data, encrypt stored secrets at rest, store credentials and API tokens only as hashes, validate outbound requests against server-side address rules, rate-limit sensitive actions, offer optional two-factor authentication, and monitor for errors and abuse. We pin our database and application compute to one region and notify affected customers and the regulator of a personal-data breach where the law requires.

Contact

Security reports go to security@sentivel.com. For privacy and data-protection questions, see our Privacy Policy; for anything else, email hello@sentivel.com.