1. Security Philosophy
We use technical and organizational safeguards appropriate to the nature of the services and the risks involved. Security is a practice we continue to build up as we grow, not a finished state — this page describes our current approach honestly rather than overstating it.
We do not currently hold SOC 2, ISO 27001, HIPAA, or PCI DSS certification, and we don't use terms like "bank-grade security" or "fully GDPR compliant" as absolute guarantees. Where a client engagement requires a specific certification or compliance posture, that's a scoping conversation to have with us directly.
2. Data Protection
We aim to collect and retain only the data needed to deliver the service in question, and to restrict access to it to the people and systems that need it. See our Privacy Policy and Data Processing Addendum for how this applies to specific data categories.
3. Access Controls
Access to systems that handle client configuration and conversation data is limited to team members and contractors who need it to do their work, and credentials for third-party services are not shared more broadly than necessary.
4. Encryption
Traffic between your browser and our website, and between our server-side services and the third-party providers we use (Google Cloud, Calendly, Razorpay, Web3Forms), is transmitted over HTTPS/TLS. We do not publish a blanket "end-to-end encrypted" claim for every part of the system, since that specific architecture varies by feature and provider.
5. Infrastructure
Our website and API are hosted on cloud infrastructure, with our AI features running through Google Cloud Vertex AI. We rely on our infrastructure providers' own platform-level security controls in addition to our own application-level practices.
6. Vendor Management
Before relying on a new third-party provider for a core function (payments, scheduling, AI, forms), we consider its reputation, security practices, and terms of service. We keep the list of subprocessors we actually use up to date in our Privacy Policy and Data Processing Addendum rather than listing every technology we could theoretically integrate.
7. AI Provider Security
Our chatbot and voice demo run through Google Cloud Vertex AI, which provides its own security and compliance program at the infrastructure level. We authenticate to it using service-account credentials that are not exposed to the browser; all AI requests are proxied through our own backend rather than calling the AI provider directly from your browser.
8. Data Retention
We retain information only as long as needed for the purpose it was collected, as described in our Privacy Policy, and aim to delete or anonymize it thereafter subject to legal and accounting requirements.
9. Incident Response
If we identify a security incident affecting personal data, we investigate promptly, take reasonable steps to contain it, and notify affected clients and, where legally required, individuals or regulators, consistent with our Data Processing Addendum commitments.
10. Business Continuity
Our services depend in part on third-party cloud, AI, telephony, and messaging providers; where those providers experience outages, our own services may be affected. We do not currently guarantee a specific uptime SLA unless one is agreed in a signed written agreement with a client.
11. Responsible Disclosure
If you're a security researcher and believe you've found a vulnerability in our website or services, please report it to us before disclosing it publicly, and avoid actions that could harm users or data (e.g. accessing data beyond what's needed to demonstrate the issue). We'll acknowledge reports made in good faith and work with you to understand and address the issue.
12. Client Security Responsibilities
If you're a business client, you're responsible for keeping your own dashboard/account credentials confidential, configuring appropriate access within your team, and promptly telling us if you suspect unauthorized access to your account or agent.
13. Contact for Security Concerns
Report a security concern to . Please include enough detail for us to reproduce or understand the issue.