No marketing spin. Here's exactly how we handle your data, secure your conversations, and build our software — in plain language.
All machine learning runs locally in your browser using Transformers.js and the all-MiniLM-L6-v2 model. Embeddings are stored in IndexedDB on your device.
We do not send your conversation data to OpenAI, Anthropic, or any third-party AI service. Your data never leaves your browser for AI processing.
AI features are included in your plan at no extra cost. No $0.99/resolution fees, no $50/seat add-ons.
Conversation similarity is computed using cosine similarity on 384-dimensional vectors, generated entirely client-side.
Widget identity verification uses timing-safe HMAC comparison to prevent identity spoofing attacks.
All authenticated endpoints are protected against cross-site request forgery via NextAuth.js built-in CSRF tokens.
API endpoints enforce per-IP and per-workspace rate limits to prevent abuse.
Strict CSP headers restrict script execution origins, preventing XSS attacks on the widget and dashboard.
TruffleHog runs in CI to detect accidentally committed secrets, API keys, and credentials.
Comprehensive test suite covering unit tests (Vitest) and end-to-end tests (Playwright) across the entire application.
The entire codebase is written in TypeScript with strict mode enabled. No implicit any types allowed.
Every API endpoint validates input with Zod schemas. A 360-line validation module covers conversations, messages, visitors, workspaces, and more.
GitHub Actions workflows for linting, type checking, testing, build verification, and deployment. Pre-commit hooks run on every commit.
Stripe webhook handlers use idempotency keys to prevent duplicate charges, even during network failures.
Database schema changes go through Prisma migrations, never destructive pushes. Every migration is version-controlled and reversible.
Concurrent updates to conversations and assignments use optimistic locking to prevent data races.
Server-side logging automatically redacts email addresses, names, and other personally identifiable information.
Planned for 2026. We are currently documenting controls and preparing for our first audit engagement.
Data Processing Agreement (DPA) available on request. We support data subject access requests and right-to-deletion.
First third-party penetration test scheduled for Q2 2026. Security audit documentation is available in our engineering docs.
Currently hosted on US infrastructure. EU data residency options are on our roadmap.
Server-rendered pages with Turbopack for development. Server Components by default, client components only when needed.
Relational database with type-safe ORM. Connection pooling, health monitoring, and automatic migration management.
Live message delivery, typing indicators, presence tracking, and collision warnings for concurrent agent access.
Distributed tracing and observability with OpenTelemetry instrumentation for performance monitoring.
We're happy to answer any security, privacy, or engineering questions.
Contact Us