Security

This page documents how Capvo handles API keys, webhook signatures, and your call data. If you find a security issue, please email security@capvo.app. We respond within one business day.

API keys

API keys authenticate your requests to api.capvo.app. They look like this:

cpv_live_3kF8z2aBcDeFgHiJkLmNoPqRsTuVwX

Creating keys

Create keys from the desktop app at Settings → API Keys → Create a new key. Each key has a name (so you can tell them apart) and an optional environment tag (local, staging, production).

The key is shown once, immediately after creation. Copy it into your secret manager before navigating away. We do not store the plaintext value (only a bcrypt hash), so a lost key cannot be recovered. Revoke and create a new one.

Revoking keys

Revoking a key takes effect within 5 seconds globally. In-flight requests using the key may complete; new requests fail with 401 invalid_api_key.

Rotation

Best practice for production keys:

1. Create a new key labelled production-2.
2. Deploy the new key to your application.
3. Verify traffic is using the new key (the desktop app shows a "last used at" timestamp per key).
4. Revoke production-1.

This zero-downtime pattern works because there's no limit on the number of simultaneously-active keys.

Storage

Keys are stored as bcrypt hashes (cost 12) in PostgreSQL. We never log API key values, and they're redacted from internal monitoring tools. Hashes can't be reversed, so even a full database dump would not expose plaintext keys.

Authentication

REST API

Send your API key as a Bearer token in the Authorization header. See the API reference for details.

Requests over plain HTTP are rejected with 403 forbidden. Only https:// is supported.

Webhooks

Capvo signs every webhook delivery with HMAC-SHA256 using a per-endpoint secret. Verify the signature on every request before trusting the payload. The signing secret is shown once at endpoint creation and is also bcrypt-hashed at rest.

See HMAC verification for code examples in Node.js and Python.

MCP server

The MCP server reuses the same API keys as the REST API. The key is passed via CAPVO_API_KEY and forwarded to the server as a Bearer token. Tool-call permissions match the underlying API key. There is no separate ACL.

Data handling

What we store

Audio is encrypted at rest by Supabase. Transcripts are stored unencrypted at the column level so we can serve them to your API requests with low latency, but the underlying database has full-disk encryption and is accessible only via TLS.

Third parties that see your data

• OpenAI Whisper API. Audio is sent to OpenAI for transcription, then deleted from OpenAI per their API data policy (no training, 30-day retention then erased).
• Anthropic Claude API. Only on Pro and Enterprise plans, and only when you enable AI summaries. Transcript text is sent to Anthropic to generate the summary. Anthropic does not train on API inputs.
• Supabase. Our hosting provider. Stores audio and transcripts in Frankfurt, EU.

We do not sell or share your data with anyone else.

Your rights

You can:

• Export every meeting and transcript you own via the API.
• Delete a single meeting from the desktop app or via DELETE /v1/notes/:id.
• Delete your entire account (and every meeting, transcript, and key associated with it) from Settings → Account → Delete account. Account deletion is irreversible and propagates to Supabase Storage within 24 hours.

RGPD

Capvo is operated from the European Union and stores all customer data in the EU. We act as a data processor under RGPD; you remain the data controller for the content of your meetings. Sub-processors are listed above and tracked in our Privacy Policy.

For data subject requests (access, rectification, erasure, portability), email privacy@capvo.app. We respond within 30 days.