Skip to main content
Kveck
NOEN
Get in touch
Security

Security at Kveck

Kveck.no is a small site with a small attack surface, mainly static content and a few forms. This page describes the measures we have in place. We try to be honest about what we do, and not pretend we do more.

Last updated 7 May 2026

1. Data stored in the EU

The site runs on Vercel in the EU region. Emails are sent via Resend in their EU region. Content that users submit via forms is therefore processed within the EU/EEA, and is not transferred to third countries as part of regular operation.

2. HTTPS everywhere

All traffic to kveck.no runs over TLS, provided by Vercel. HSTS is enabled, so browsers automatically use HTTPS for future visits. We do not serve content over unencrypted HTTP.

3. No third-party tracking or analytics cookies

We don't use Google Analytics, tracking pixels, advertising cookies or similar tools. No third parties get to follow you around the web based on your visit to us.

We don't set our own analytics cookies either. No third parties run code in your browser, the bot protection runs entirely server-side.

4. Secrets only server-side

API keys, such as the Resend key that sends email and the MATH_CHALLENGE_SECRET that signs the bot protection, live in server-only environment variables. They are never prefixed with NEXT_PUBLIC_, and never end up in the client bundle or in the HTML sent to the browser.

Form submissions go through server actions in Next.js, so validation and calls to external services happen on the server, not in your browser.

5. Bot protection on forms

The demo and contact forms are protected by a simple server-side equation challenge signed with HMAC. The challenge is verified server-side before we validate or forward what you've written. That reduces spam and automated attacks without involving third-party services.

We also have a honeypot field that's hidden from humans. If it gets filled in, we silently discard the submission.

6. Handling of form data

When you submit a form, the content goes straight to hei@kveck.no via Resend. We have no database that stores it; the information lives in my email inbox in the normal way.

Personal data such as name, email, phone number and company number is not logged in application or error logs. If sending the email fails, we log the error, not what you wrote. Retention and rights are described in more detail in the privacy policy.

7. Dependencies kept up to date

Next.js, the Resend SDK, Zod and other dependencies run on supported versions. Security updates from vendors are rolled out as they arrive, not batched into large releases. Known vulnerabilities are handled as soon as we become aware of them.

8. Reporting vulnerabilities

If you find a vulnerability, we'd like to hear about it. Email hei@kveck.no with a description, and ideally a proof of concept if you have one. We reply within a reasonable time.

We're happy to credit reporters if you'd like that. Please don't publish details of the vulnerability before we've had a chance to fix it.