Security
We have implemented comprehensive security controls to protect your data and ensure the integrity of our platform.
Our security measures are aligned with industry-standard frameworks including the OWASP Top 10, providing enterprise-grade protection against modern security threats.
Access tokens use asymmetric RS256 signing and include user identity, session tracking, and automatic expiry. Each token is cryptographically verified, and sessions can be revoked instantly when needed.
User sessions are protected using secure, HTTP-only cookies and short-lived session tokens. Sessions automatically expire after periods of inactivity, and tokens are securely stored and invalidated upon logout or suspicious activity. Session data is never exposed to client-side scripts, reducing the risk of session hijacking.
Training materials and uploaded files are served through short-lived presigned URLs that expire after 60 seconds, minimizing the window of exposure for sensitive content.
All data in transit is protected using industry-standard HTTPS with HTTP Strict Transport Security (HSTS) enabled. We enforce Content Security Policy (CSP), implement frame protection, and disable content-type sniffing to protect against common browser-based attacks.
All API keys are hashed before storage using industry-standard algorithms. Outbound webhooks can be cryptographically signed using HMAC signatures, allowing you to verify the authenticity of data sent from our platform.
URL-based imports and remote resource fetching are strictly validated. We only allow standard HTTP/HTTPS protocols and automatically block requests to internal networks, private IP ranges, and other potentially dangerous destinations.
Production API access is protected by a strict CORS allowlist, ensuring only authorized domains can interact with your data. HTTP parameter pollution attacks are automatically blocked through duplicate parameter rejection.
The dashboard cannot be embedded in third-party frames, protecting against clickjacking attacks and unauthorized embedding.
Our platform enforces strict isolation between different chatbots and accounts. Each chatbot's resources are completely segregated, preventing unauthorized cross-tenant access.
Every chatbot in your organization is protected by granular permissions that enforce read and write access controls. Team members can only access resources they are explicitly authorized to view or modify, ensuring proper separation of duties.
Conversation data respects sharing policies configured at the chatbot level. Whether conversations are restricted to specific team members or shared more broadly, these permissions are enforced server-side and cannot be bypassed.
User passwords are hashed using industry-standard algorithms and never stored in plain text. Password reset flows use cryptographically signed, time-limited tokens that cannot be reused or forged.
Login attempts are monitored by both email address and IP address. Repeated failed login attempts trigger automatic temporary lockouts, protecting accounts from credential stuffing attacks.
Each chatbot's training data and knowledge base is stored in isolated vector database namespaces, preventing any possibility of cross-contamination between different chatbots or accounts.
All sensitive credentials are stored in AWS Secrets Manager and never committed to code or configuration files. Database connections are routed through secure RDS proxies with enforced encryption.
Comprehensive rate limiting is applied across all chat endpoints using a moving-window algorithm. This protects against denial-of-service attacks and automated abuse while ensuring legitimate users experience uninterrupted service.
All user-generated content, including playbook configurations, chatbot names, rules, and triggers, is automatically sanitized before storage using industry-standard HTML sanitization libraries. This prevents malicious scripts from being injected into the platform.
Our platform employs intelligent spam detection with persistent IP blacklisting capabilities. Legitimate traffic is whitelisted to minimize false positives while maintaining strong protection against malicious actors.
Uploaded files undergo strict validation including filename sanitization, file type verification, and size limits. Malicious file paths are automatically rejected to prevent directory traversal attacks.
Search queries and user inputs across the dashboard are subject to length constraints and rate limiting, reducing the attack surface for injection attempts and abuse.
Widget embeds can be restricted to specific domains with parent-domain validation. Time-based active hours further reduce exposure by limiting when your chatbot can be accessed.
All security-relevant events are logged, including authorization failures, rate limit violations, quota breaches, and rejected file uploads. This provides comprehensive audit trails for complex security analysis and detailed compliance requirements.
Both our backend infrastructure and dashboard application are monitored through enterprise-grade error tracking. This includes detailed session replay capabilities that activate automatically when errors occur, enabling rapid diagnosis and resolution.
All uploaded files and remotely imported content are scanned using server-side antivirus protection before being stored or processed. This includes training materials, avatar images, and any content imported from external URLs.
Strict allowlists govern which file types can be uploaded for different purposes. File sizes are bounded to prevent resource exhaustion attacks, and content is validated before processing.
Chat widgets and embeds can be restricted by IP address or geographic location. These restrictions are enforced in real-time based on your configuration.
Automated bot traffic is detected and filtered from analytics and telemetry, ensuring your engagement metrics reflect genuine user interactions.
Outbound webhooks include HMAC signatures that you can verify to ensure requests genuinely originate from our platform. Webhook secrets are securely generated and can be rotated at any time.
Stripe webhook events are verified using official signature validation methods, ensuring billing events are authentic and untampered.
Integrations with WhatsApp, Instagram, and other messaging platforms use verification tokens, event deduplication, and authenticity checks to prevent spoofed messages and replay attacks.