Skip to content
Tenvo
LEGAL · SECURITY

Security Practices

How Tenvo is built, encrypted, and operated, and how to report a vulnerability. Honest answers, including about what we have not yet certified.

Last updated: 2026-05-06
TL;DR

Session content (your screen, keystrokes, files transferred) is encrypted with TLS using a unique per-device certificate. Direct peer-to-peer connections are end-to-end encrypted. The client is open source, so the encryption can be independently audited.

We are not yet SOC 2 or ISO 27001 certified. The infrastructure providers we rely on are. If you find a vulnerability, write to support@tenvoai.com.

Contents
  1. 01Scope
  2. 02Cryptography
  3. 03Infrastructure
  4. 04Authentication and access control
  5. 05Compliance and certifications
  6. 06Audit logging and monitoring
  7. 07Endpoint and corporate security
  8. 08Open source and reproducibility
  9. 09Responsible disclosure
  10. 10Out of scope
  11. 11Incident response
  12. 12Changes

01Scope

This page describes the security architecture of the Tenvo client and the hosted relay service operated by upDevTeam LTD at tenvoai.com, and the responsible-disclosure process for reporting vulnerabilities to us.

It is informational. Contractual security commitments live in the Terms of Service and the DPA.

02Cryptography

Connections are encrypted with TLS. Each device is issued a unique certificate by our certificate authority. On direct peer-to-peer connections the session is end-to-end encrypted between the two devices; when a direct connection is not possible, traffic is relayed and encrypted in transit.

Transport encryption
TLS with a pinned set of trusted certificate authorities, so connections cannot be silently downgraded or intercepted.
Per-device identity
Each device is issued a unique certificate signed by our CA; direct connections validate it (certificate identity must match the device ID) before any session data flows.
Ciphers
Modern AEAD ciphers (such as AES-256-GCM or ChaCha20-Poly1305) negotiated by TLS; legacy and weak ciphers are disabled.
Transport
TLS 1.3 for the relay control plane and the web app. Modern cipher suites only; legacy TLS versions are disabled.
Encryption at rest
Account data and backups are encrypted at rest by our managed database provider.

Cryptographic libraries are pinned to audited upstream versions and updated on a documented schedule. We do not implement our own primitives.

03Infrastructure

Production infrastructure runs on a small number of providers:

  • Our VPS hosting provider — servers that run the relay, the account service, and the marketing site.
  • Supabase, Inc. — managed PostgreSQL for accounts and billing metadata.
  • Stripe Payments Europe Ltd. — card processing for paid plans.
  • GitHub, Inc. — source hosting and CI/CD for client builds.
  • Email is delivered from a mail server we run on our own infrastructure (no third-party email processor).

Each provider that handles personal data is bound by a data-processing agreement. Where processing occurs outside the EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

04Authentication and access control

User-level access controls:

  • Email magic-link / OTP sign-in by default. Optional password sign-in with Argon2id-hashed passwords and breach-corpus screening.
  • Two-factor authentication (TOTP) available for paid accounts, mandatory for staff.
  • Per-device permission flags (clipboard, file transfer, audio, restart) chosen by the controlled side at session start.
  • Banned-peer-ID list maintained by upDevTeam LTD and applied at the relay.

05Compliance and certifications

Honest status as of the date at the top of this page: Tenvo and upDevTeam LTD are NOT currently certified to SOC 2, ISO 27001, ISO 27017, ISO 27018, HIPAA, PCI-DSS, FedRAMP, or any other formal third-party security standard. Public claims to the contrary are wrong.

Our hosting, database (Supabase), and payment (Stripe) providers are themselves SOC 2 / ISO 27001 audited; our security inherits some assurance from theirs but does not equal it.

We are working towards an external security review for 2026 and will publish the result on this page when it lands. We will not pretend to certifications we do not hold.

06Audit logging and monitoring

Administrative actions on production systems are logged to a central, append-only log with at least 90-day retention. The log records the actor, the action, the timestamp, and the source IP. Production access is restricted to a small number of named engineers with mandatory two-factor authentication.

We monitor uptime, error rates, and abuse-related signals (sudden traffic spikes, brute-force attempts, peer-ID enumeration) and rotate on-call coverage on a weekly basis.

07Endpoint and corporate security

Staff devices used to access production systems must:

  • run a supported, up-to-date operating system with full-disk encryption enabled;
  • use a managed password manager and a hardware-backed 2FA token (e.g. WebAuthn) for production access;
  • have endpoint protection or a Linux equivalent and automatic security updates;
  • be wiped and certificates revoked when the staff member leaves.

08Open source and reproducibility

The Tenvo client is open source under AGPL-3.0. Anyone can read the source code, build it, and verify that it does what we claim. The relay code (a fork of hbbr / hbbs) is similarly open source.

We publish SHA-256 hashes for every released installer. We are pursuing EV code-signing for Windows and Apple notarisation for macOS; current build status is on the Download page.

09Responsible disclosure

We welcome reports from independent security researchers. To report a vulnerability:

Email
support@tenvoai.com
PGP
PGP key fingerprint published on the same page; encrypted reports preferred for any report involving exploit details.
Response time
Initial acknowledgement within 3 business days; status update within 10 business days; coordinated disclosure agreed before any public posting.
Safe harbour
Good-faith research that complies with this policy will not be subject to legal action by upDevTeam LTD. We ask that you do not access user data, do not test against accounts that are not your own, and do not perform denial-of-service or social-engineering attacks against staff.

We do not currently run a paid bug-bounty programme. We acknowledge meaningful reports publicly (with your permission) on a hall-of-fame page once the issue is fixed.

Critical findings (RCE, broken session encryption, mass authentication bypass) are escalated to the on-call engineer immediately and given priority over scheduled work.

10Out of scope

The following are not eligible for safe-harbour treatment under section 9 and may be reported but are unlikely to be treated as vulnerabilities:

  • denial-of-service or volumetric attacks against any system;
  • social-engineering attacks against upDevTeam staff or customers;
  • physical attacks on offices or data centres;
  • issues that require a victim to install untrusted software;
  • best-practice deviations without a working exploit path (e.g. missing security headers on marketing pages).

11Incident response

We maintain a written incident-response playbook covering detection, containment, eradication, recovery, and post-incident review. The playbook is reviewed at least annually and after every material incident.

If a personal-data breach occurs, the notification timelines in our Privacy Policy and DPA apply.

12Changes

When the architecture or any commitment on this page changes materially, we update the 'Last updated' date and announce the change in the changelog.

Reading the source code is the most reliable way to verify a security claim. Start at github.com/GoDeskFlow.