At Autohive, we know that trusting us with your data is a big deal. This document explains how we protect your information at every layer of the platform.

1. Data encryption

In transit: All data moving between your device and Autohive servers is encrypted using TLS 1.2 or higher. HTTPS is enforced across the web application and all APIs, and HTTP requests are automatically redirected to HTTPS.

At rest: Conversations, direct messages, and workspace data are encrypted using AES-256. Each workspace and individual conversation is encrypted with its own unique key, ensuring strict data isolation. Only authorised members of a specific workspace or conversation can decrypt its contents. Encryption keys are managed using industry-standard protection mechanisms.

2. Infrastructure and network security

  • Cloud infrastructure: Autohive runs on AWS, which holds SOC 2 Type II and ISO 27001 certifications. The underlying physical and network infrastructure meets the highest standards for security and availability.
  • Network isolation: The application uses multiple layers of network isolation with Virtual Private Clouds (VPCs) and security groups. Traffic between services is strictly controlled, and only necessary connections are permitted.
  • HSTS: HTTP Strict Transport Security is enabled in production with a one-year max-age, preloading, and subdomain coverage.

3. Authentication

Autohive supports the following sign-in methods:

  • Email and password — with strong password requirements and a secure reset flow (reset links expire after 30 minutes)
  • Continue with Google — OAuth 2.0 with openid, profile, and email scopes
  • Continue with Apple — OAuth 2.0 with name and email scopes
  • Continue with Xero — OAuth 2.0 with openid, profile, and email scopes. Autohive retrieves your name and email from Xero’s identity token to create or match your account. No accounting data is accessed during sign-in.

Two-factor authentication (2FA)

Autohive supports TOTP-based two-factor authentication using any standard authenticator app (e.g. Google Authenticator, Authy, 1Password).

Setting up 2FA:

  1. Go to your account preferences.
  2. Scan the QR code with your authenticator app, or enter the manual key.
  3. Enter the 6-digit code to confirm and activate 2FA.

Recovery codes: When you enable 2FA, recovery codes are generated. Store these securely. They can be used to access your account if you lose access to your authenticator app.

Plan-enforced 2FA: Plan owners can require all members to enrol in 2FA. If required, new members are prompted to set up 2FA before they can access the workspace.

Session management

Sessions are stored server-side and validated on every authenticated request. This means that revoking a session (for example, signing out) takes effect immediately. There is no grace period where a revoked session remains valid. Sessions expire after 30 days of inactivity.

4. Access control

Autohive uses role-based access control (RBAC) at the plan level. Every member is assigned one of three roles:

RoleDescription
OwnerFull control over the plan, billing, members, and all workspaces
ManagerCan manage workspaces and members within their scope
MemberStandard access to workspaces and agents they have been added to

Roles are assigned by the plan owner and can be updated at any time from the plan settings.

5. Audit log

Plan owners have access to a full audit log showing actions taken across the plan. The audit log records:

  • Who performed the action (member name, email, avatar)
  • What the action was (human-readable description)
  • When it occurred (timestamp)
  • Which workspace it affected
  • System-initiated actions (labelled “System”)

The audit log can be filtered by workspace, member, and date range, and searched by action text. Access is restricted to plan owners only.

See Audit log for details.

6. Data retention and deletion

  • Account deletion: To delete your account and have your personal data permanently removed, contact our support team. Deletion is processed in accordance with GDPR and other applicable privacy regulations, following a brief grace period.
  • Workspace data: Removing content, agents, or conversations from a workspace deletes that data from the platform.

7. Bug bounty program

We run a bug bounty program to reward security researchers who find and responsibly disclose vulnerabilities. If you believe you have found a security issue, please email security@autohive.com and we will investigate as quickly as possible.