Security

Security, privacy, and operational controls designed into the platform.

Not bolted on after the fact. Built into every layer from authentication to data export.

Authentication & RBAC

4 roles with 35 granular permissions. Admins control who can send messages, manage AI agents, view analytics, and access GDPR tools.

WhatsApp OTP-based authentication — no passwords to manage
4 roles: Admin, Manager, Agent, Viewer
35 granular permissions across all platform features
Role assignment per user with immediate enforcement

Encryption

All sensitive credentials are encrypted at rest using AES-256-GCM. Data in transit uses TLS 1.3.

AES-256-GCM encryption for API keys and credentials at rest
TLS 1.3 for all data in transit
Per-tenant encryption keys — no shared secrets
Key rotation support without service interruption

Audit Logs

Every administrative action is logged with timestamp, actor, and details. Searchable audit trail for compliance.

All admin actions logged — user changes, settings, feature flags
Audit entries include actor, timestamp, action, and metadata
Searchable and filterable via admin dashboard
Retention configurable per compliance requirements

PII Redaction

PII is identified and redacted before AI processing. Personal data never reaches the language model.

Automated PII detection — names, phones, emails, Aadhaar, order IDs
Redaction happens before any data reaches AI models
Anonymized transcripts for quality scoring and analytics
Customer Intelligence profiles contain behavioral data only — no PII

Data Retention & Export

GDPR-compliant data management — scan, retain, export, and cascade-delete per customer.

PII scan across all stored data per contact
Configurable retention policies per data type
Full data export for GDPR Subject Access Requests
Cascade delete — removes contact from all collections in one action

Webhook Signing

All outbound webhooks are signed with HMAC-SHA256. Verify authenticity before processing.

HMAC-SHA256 signature on every webhook payload
4 event types: message.received, message.status, conversation.ended, contact.updated
Retry with exponential backoff on delivery failure
Signature verification examples in Node.js and Python

Tenant Isolation

Multi-tenant architecture with strict data isolation. No tenant can access another's data.

Firestore security rules enforce tenant-scoped access
API keys are tenant-scoped — cannot access other tenants
Feature flags evaluated per-tenant with override support
Platform admin vs tenant admin separation of concerns

Security questions? Let's talk.

We are happy to walk through our security architecture with your team.