S
Sureva

Security Policy

Last updated: April 16, 2026

Our Commitment to Security

At Sureva, security is fundamental to everything we do. As a financial services platform, we implement industry-leading security measures to protect your data and funds.

Security Measures

Infrastructure Security

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • SOC 2 Type II compliant infrastructure providers
  • Regular penetration testing by third-party security firms
  • 24/7 security monitoring and incident response
  • Geographic redundancy and disaster recovery

Application Security

  • Multi-factor authentication (MFA) available for all accounts
  • Strict Content Security Policy (CSP) headers
  • Protection against OWASP Top 10 vulnerabilities
  • Regular security code reviews and static analysis
  • Dependency vulnerability scanning

Access Controls

  • Role-based access control (RBAC)
  • Principle of least privilege for all systems
  • Audit logging of all administrative actions
  • Automatic session timeout and secure session management

Responsible Disclosure Program

We value the security research community and welcome reports of potential vulnerabilities.

How to Report

Email: security@sureva.co

Please include detailed steps to reproduce the issue, potential impact, and any proof-of-concept code.

Scope

In scope:

  • sureva.co and all subdomains
  • api.sureva.co
  • Sureva mobile applications
  • Authentication and authorization flaws
  • Data exposure vulnerabilities
  • Payment processing security issues

Out of scope:

  • Social engineering or phishing attacks
  • Denial of service (DoS/DDoS) attacks
  • Physical security issues
  • Issues in third-party services we use
  • Spam or email configuration issues
  • Missing best practices without demonstrated impact

Our Commitment

  • Acknowledge receipt within 24 hours
  • Provide regular updates on remediation progress
  • Not pursue legal action for good-faith research
  • Credit researchers in our acknowledgements (with permission)
  • Work collaboratively on disclosure timing

Rules of Engagement

  • Do not access or modify data belonging to other users
  • Do not degrade or disrupt our services
  • Do not publicly disclose issues before we've had reasonable time to address them
  • Only test against accounts you own or have explicit permission to test

Security Acknowledgements

We thank the following security researchers for responsibly disclosing vulnerabilities:

No acknowledgements yet. Be the first to report a valid security issue!

Compliance & Certifications

  • PCI-DSS compliant payment processing (via Stripe)
  • FinCEN registered Money Services Business
  • GDPR compliant data handling
  • CCPA compliant for California residents

Contact

For security-related inquiries:

Security Team

Email: security@sureva.co

PGP Key: /.well-known/pgp-key.txt

← Back to Home