Enterprise-grade by default. Everything documented.
The security posture your IT team wants to see before you buy — data handling, encryption, access controls, and vendor list. Send this page to your CISO.
Data
Where it lives, how we treat it.
Access
RBAC + audit logs + Face ID.
Encryption
TLS 1.3 + AES-256 at rest.
Compliance
GDPR-ready + HIPAA-ready with BAA.
Operational
Daily patches, weekly restores, monthly audits.
Sub-processors
Every vendor that touches your data.
Where your data lives + how we treat it.
Where your data lives
Primary storage + hosting matches your compliance framework — regional deployment on request per instance. Sub-processors that touch data in flight (AI model, SMS carrier, etc.) are listed in §06 below and covered by DPA. Region + vendor details shared under NDA.
Your data stays yours
We never train foundation models on your conversations or KB. Your data powers your instance and nothing else. Export it any time — CSV, JSON, PDF. Delete it any time — full-purge in 30 days.
Retention you control
Set conversation retention per instance (30 / 90 / 365 days or indefinite). PII masking optional. GDPR right-to-erasure implemented per-contact + per-instance + account-wide.
Backups you can audit
Daily encrypted backups, 30-day retention, quarterly restore drills. Backup logs available on request under NDA.
Every action, attributable.
Role-based access
Superuser (you) · Admin (managers) · Operator (staff). Operators see only assigned instances. Every action logged with timestamp + user ID + IP.
SSO + 2FA
SAML / OIDC for enterprise. TOTP 2FA for individual accounts. Passwordless magic-link option available.
Face ID on operator app
Operator iOS + Android apps gate access via Face ID / Touch ID. Phone unlock alone does NOT reveal customer messages.
At rest. In transit. Everywhere.
TLS 1.3 in transit
Every customer message + every operator action rides TLS 1.3 with modern ciphers (X25519 + ChaCha20-Poly1305). Legacy TLS versions disabled.
AES-256 at rest
Databases, backups, and file uploads encrypted with AES-256-GCM. Encryption keys rotated quarterly, escrowed offline.
Secrets management
API tokens + integration credentials sealed via HashiCorp Vault. No plaintext secrets anywhere in the codebase or in support access.
BYO key (enterprise)
Enterprise customers can bring their own KMS keys (AWS KMS / Azure Key Vault / GCP KMS). We hold ciphertext only.
The honest current state.
GDPR-ready if you need it
Data-processing agreement available on request. Right-to-erasure per-contact / per-instance / account-wide. Audit trail retained for regulatory review. Turn it on per instance for EU customers.
US SaaS controls
Role-based access, per-instance data isolation, encrypted in transit + at rest, audit trail on every operator + admin action. Standard US SaaS controls for a Virginia LLC serving customers globally.
HIPAA on request
Not a covered entity by default. HIPAA-ready hosting available on request with a signed BAA — required for medical, dental, veterinary, and adjacent verticals handling PHI.
No SOC 2 or ISO 27001 yet
We don't currently hold SOC 2 Type II or ISO 27001 certification. Procurement conversations that require formal certifications are handled during the demo call — we're transparent about what we do and don't hold.
What we do so you don't have to.
Automated dependency scans + patching
Renovate + Snyk run on every build. Critical patches applied within 24h; high within 7 days.
Backup restore drills
One instance restored from the previous week's backup, checked byte-for-byte, then discarded. Reports available.
Access audit
Every user + every role + every instance reviewed. Stale accounts revoked. Sub-processor SLAs revisited.
Incident response
24/7 on-call rotation for security incidents. Public status page. Under GDPR Art. 33, we notify the supervisory authority within 72 hours; under Art. 34, we notify affected individuals without undue delay when the breach poses a high risk.
Every vendor that touches your data.
Anthropic (Claude API)
Language-model provider. Conversation content sent to Anthropic for response generation. Zero-retention API mode enabled — Anthropic does not store or train on your data.
SendGrid (transactional email)
Transactional email delivery — confirmations, invoices, password resets, notifications. DPA in place.
Application hosting
Cloud hosting across AWS, OVH, and Hetzner. Region details shared under NDA. Regional deployment on request per instance.
Cloudflare (DNS + WAF + CDN)
DDoS protection, edge caching, web application firewall. Sets an essential __cf_bm cookie for bot management. No customer message content stored at the edge.
Google Cloud (Maps + Weather) — optional
Enabled for geo-aware answers (distance, live weather, GPS pins). Instance-scoped, no personal data forwarded. Turnable off per instance.
Freepik (AI image generation) — optional
Optional AI image generation for the WordPress plugin content tools. Not used by the chat runtime. Turnable off per instance.
Twilio (admin 2FA + optional SMS)
Used for operator + admin two-factor authentication codes. Not used for customer WhatsApp routing. If SMS as a customer channel is enabled for your instance, Twilio also carries that traffic — DPA in place.
WhatsApp / Meta — transit only
Messages flow through WhatsApp's network the same way any WhatsApp Web session does. No data-processing agreement with Meta, no Meta Business API contract. Bridge model: operator scans a QR from your dashboard, WhatsApp installed on their phone acts as a linked device — same mechanism as WhatsApp Web.
Send this page to your security team.
Or request the full security pack — DPA, sub-processor list, penetration test summary, backup logs — under NDA.