Legal

Security

Last updated February 2026

You're trusting NextVisit with your customer list, your voice, and your reputation. Here's how we protect that trust.

Encryption in transit

All traffic between your browser, our API, and every subprocessor uses TLS 1.2+ (HTTPS). No plaintext connections.

Encryption at rest

MongoDB Atlas stores your data on encrypted volumes (AES-256). Backups are encrypted with a separate key.

Password hashing

Passwords are hashed with bcrypt (12 rounds). We can't see them, and neither can our infra vendors — even if they wanted to.

Rate limiting + brute-force protection

Login and password-reset endpoints throttle repeat attempts per email and IP. Reset tokens are single-use and expire in an hour.

Minimal access

Only the founder has production access, protected by 2FA. Every access event is logged.

Deliverability & compliance

Every outbound message has an unsubscribe link; unsubscribes are honored immediately across every future send. We use Resend for delivery and follow CAN-SPAM, GDPR, and CASL basics.

Infrastructure

NextVisit runs on managed cloud infrastructure. Data is stored in MongoDB Atlas (multi-region encrypted). Emails are delivered via Resend. Payments are processed by Stripe (PCI-DSS Level 1). We never store credit card numbers on our servers — Stripe handles that end-to-end.

Authentication

  • Passwords are hashed with bcrypt (never stored in plaintext).
  • Sessions use short-lived JWTs (24-hour expiry).
  • Password reset links expire in 1 hour and are single-use.
  • Team invite links expire in 7 days and are single-use.
  • Failed login attempts are rate-limited per email and IP.

Multi-tenant isolation

Every workspace's data is scoped by a workspace_id at the database query level. Cross-workspace access is impossible from any application code path — we have automated tests that verify this on every deploy.

Incident response

In the unlikely event of a security incident that affects your data, we'll notify affected account owners within 72 hours with details of what happened, what we did, and what you should do next.

Reporting a vulnerability

Found something concerning? Please email brooke@bookyournextvisit.com with details. We'll respond within 48 hours and credit you (with permission) once we've fixed the issue.

Made with Emergent