Honest about what we do and what we don't.

Every database table has a tenant_id column. Every query filters on it. One customer cannot see another customer's data — enforced at the database layer, not just the API layer.

All traffic runs through Caddy with auto-provisioned TLS certificates. API calls, webhook deliveries, widget connections — everything is HTTPS.

Channel credentials (WhatsApp tokens, Telegram bot tokens) are encrypted with Fernet symmetric encryption before storage. We never store plaintext secrets.

WhatsApp webhooks verified via HMAC-SHA256 (X-Hub-Signature-256). Telegram webhooks verified via constant-time secret comparison. Spoofed webhooks are rejected.

Widget API keys are scoped to specific domains. A key configured for example.com won't work on attacker.com. Keys without domains are playground-only.

Dashboard passwords are bcrypt-hashed. We never store or log plaintext passwords. Login endpoints are rate-limited (10 attempts per 5 minutes per IP+email).

Redis sliding-window rate limiting per API key (RPM/RPS from plan), per IP (120/min on widget endpoints), and per-tenant monthly conversation + token quotas.

Your conversations and knowledge base are never used to train any AI model. We use commercial LLM APIs (OpenAI, xAI, Anthropic) which also don't train on API inputs.

We don't have SOC 2 or ISO 27001. We follow the principles (access control, encryption, logging) but haven't gone through formal audits. These are on the roadmap as we grow.

Dashboard login is email + password only. SAML, OIDC, and SCIM provisioning are not built yet. Enterprise customers needing SSO should talk to us about timeline.

We don't yet offer region-specific data hosting. If you have strict data residency requirements (EU-only, SG-only), talk to us — it's on our roadmap.

We haven't had an external penetration test yet. We follow OWASP top 10 practices and do internal security reviews, but don't have a third-party report to share.

Security incidents are acknowledged within 4 hours during business hours (GMT+8). Critical vulnerabilities (data exposure, authentication bypass) are patched within 72 hours. Affected customers are notified via email within 24 hours of confirmation.

Active accounts: data retained for the life of the subscription. Session memory (Redis): 7-day auto-expiry. Closed accounts: all data deleted within 90 days. Conversation exports available before deletion. Backups retained for 30 days, then purged.

Infrastructure access is limited to the founding team via SSH key authentication (no password login). Database access requires SSH tunnel — no public endpoint. Dashboard admin access is gated by a server-side email allowlist. All admin actions are logged.

Every admin API call is logged with timestamp, user, action, and affected resource. Webhook deliveries are recorded with request/response bodies and timing. LLM usage is tracked per-call with cost, latency, and model. All logs are retained for 90 days.

Code deploys automatically on every push to main via GitHub Actions. No manual SSH access needed for routine deploys. Database migrations run automatically before container restart. Rollback via git revert.

PostgreSQL: daily automated pg_dump backups retained for 30 days. Redis: persistence enabled with AOF logging. Backups stored on the same datacenter (Hetzner Falkenstein) — offsite backup is on the roadmap.