Trust Center
Security & Trust
Last updated: May 2026
Security is built into our product—not bolted on. This page summarizes the controls we operate today. We align with enterprise expectations for Meta messaging platforms while being transparent about our maturity path toward formal certifications.
Official Meta integrations
WhatsApp Business, Instagram, and Messenger via official APIs—no scraping or unofficial clients.
Verified webhooks
HMAC-SHA256 signature validation with timing-safe comparison on inbound Meta events.
Encrypted credentials
Integration tokens and secrets encrypted at rest (AES-256-GCM). Secrets never returned in browser API responses.
Tenant isolation
Every data path scoped by business_id in application code, with automated cross-tenant denial tests in CI.
Access control
Role-based team permissions, session rotation on login, HttpOnly cookies, and Origin checks on mutating requests.
Abuse prevention
API and webhook rate limits, burst protection, plan quotas, and human escalation workflows.
Threat model & mitigations
| Threat | Mitigation |
|---|---|
| Webhook forgery | Meta HMAC-SHA256 (x-hub-signature-256), timing-safe compare |
| Replay / duplicate delivery | External message idempotency on inbound messages |
| Credential theft | Encryption at rest; redacted API responses; no secrets in logs |
| Cross-tenant access | business_id scoping + automated isolation tests |
| Spam / flood | Rate limits, burst limiter, plan quotas |
| Session hijack | HttpOnly cookies, hashed session tokens, rotation on login |
| Supply-chain risk | Dependabot, npm audit in CI, lockfile enforcement |
Authentication
- Browser sessions use a first-party HttpOnly session_token cookie (7-day TTL).
- Session tokens are stored as HMAC-SHA256 hashes in the database—never plaintext at rest.
- Public API tokens are not issued to browsers today.
- Production cookies: Secure, HttpOnly, SameSite per deployment (lax, or none+Secure for cross-site setups).
Data isolation architecture
Our database uses Supabase with a service-role backend. Row-level security is not the primary isolation boundary—application-layer enforcement on every repository call is.
Automated security tests in continuous integration verify that one tenant cannot access another tenant’s resources by identifier guessing.
Responsible disclosure
Report vulnerabilities privately to {securityEmail}. Please include steps to reproduce and impact assessment.
We aim to acknowledge reports within 3 business days and provide a remediation timeline for confirmed issues.
Please do not access data belonging to other customers or disrupt production systems.
Operations & resilience
- Encrypted backups via our database provider; documented RPO/RTO targets and restore procedures.
- Security audit events for OAuth, role changes, exports, deletions, and token refresh failures.
- Incident response: revoke provider keys, rotate encryption material, global AI kill switch, session invalidation.
- SOC 2 Type II is on our roadmap—we do not claim certification today.
Payments & PCI
Subscription payments are processed by Stripe using Stripe Checkout. Card numbers are entered on Stripe-hosted pages and are not stored on our servers.
Merchants using Stripe Checkout typically qualify for PCI SAQ A scope. You remain responsible for securing your account credentials and workspace access.
Infrastructure partners
See our Privacy Policy for full subprocessor detail and data-processing context.