Security
Last updated February 2026
You're trusting NextVisit with your customer list, your voice, and your reputation. Here's how we protect that trust.
Encryption in transit
All traffic between your browser, our API, and every subprocessor uses TLS 1.2+ (HTTPS). No plaintext connections.
Encryption at rest
MongoDB Atlas stores your data on encrypted volumes (AES-256). Backups are encrypted with a separate key.
Password hashing
Passwords are hashed with bcrypt (12 rounds). We can't see them, and neither can our infra vendors — even if they wanted to.
Rate limiting + brute-force protection
Login and password-reset endpoints throttle repeat attempts per email and IP. Reset tokens are single-use and expire in an hour.
Minimal access
Only the founder has production access, protected by 2FA. Every access event is logged.
Deliverability & compliance
Every outbound message has an unsubscribe link; unsubscribes are honored immediately across every future send. We use Resend for delivery and follow CAN-SPAM, GDPR, and CASL basics.
Infrastructure
NextVisit runs on managed cloud infrastructure. Data is stored in MongoDB Atlas (multi-region encrypted). Emails are delivered via Resend. Payments are processed by Stripe (PCI-DSS Level 1). We never store credit card numbers on our servers — Stripe handles that end-to-end.
Authentication
- Passwords are hashed with bcrypt (never stored in plaintext).
- Sessions use short-lived JWTs (24-hour expiry).
- Password reset links expire in 1 hour and are single-use.
- Team invite links expire in 7 days and are single-use.
- Failed login attempts are rate-limited per email and IP.
Multi-tenant isolation
Every workspace's data is scoped by a workspace_id at the database query level. Cross-workspace access is impossible from any application code path — we have automated tests that verify this on every deploy.
Incident response
In the unlikely event of a security incident that affects your data, we'll notify affected account owners within 72 hours with details of what happened, what we did, and what you should do next.
Reporting a vulnerability
Found something concerning? Please email brooke@bookyournextvisit.com with details. We'll respond within 48 hours and credit you (with permission) once we've fixed the issue.