Security

How your data is protected

The short version

N78-Ops protects your business data with well-known, standard encryption that runs entirely on your phone. Nivo78 operates no server that receives your clients, quotes, or money. Here is exactly what is used, and what each part does for you.

On your device, not our servers

Clients, quotes, schedules, and invoices live in Android's private app sandbox on this phone. Other apps cannot read them under standard Android rules, and nothing is uploaded to Nivo78.

Encrypted at rest — AES-256-GCM via the Android Keystore

Your local business data is sealed with Google's Jetpack Security EncryptedFile using AES-256-GCM (the AES256_GCM_HKDF_4KB scheme), and secure settings use EncryptedSharedPreferences (AES-256-SIV for keys, AES-256-GCM for values). The keys live in the Android Keystore, which is hardware-backed on supported devices—so a lost or stolen phone does not hand over readable data.

Biometric-gated identity vault

Your most sensitive identity fields use a separate AES-256-GCM key that requires your device biometric or PIN to unlock, and is invalidated if your biometrics change (for example, when a new fingerprint is enrolled).

Your master password is never stored

Only a one-way PBKDF2-HMAC-SHA256 verifier is kept on the device, compared in constant time. The password itself is never written to disk or sent anywhere. That is also why no one—including Nivo78—can recover it for you; protect it like a key to your business.

Strong export encryption — PBKDF2 at 600,000 iterations

Password-protected portable backups and exports are encrypted with AES-256-GCM, using a key stretched by PBKDF2-HMAC-SHA256 at 600,000 iterations, so a captured file resists brute-force guessing. Accountant ZIPs (Professional and Premium) use AES-256 WinZip-standard entry encryption. One honest exception: a password-protected CSV for Windows uses the older ZipCrypto format for compatibility—weaker than AES; the app tells you this at export time, and plain exports always show a short risk reminder first.

What forgetting the password does and does not cost you

Because everyday data rides the Android Keystore (not your master password), the installed app keeps working if you forget the password. What you cannot recover are password-protected backups and exports you already made, and restoring one on a new phone or after reinstalling—those need that exact password.

Related topics: Protecting exports & sensitive data, Data files & backups, Manual Backups & JSON Snapshots.

← All N78-Ops help topics