HIPAA-Oriented Security

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Conversation transcripts, visitor information, and knowledge base content are protected end-to-end. API communications between the widget and our servers are always encrypted.

Role-based access control (RBAC) ensures team members only see what they need. Tenant data is fully isolated at the database level, so no cross-tenant data leakage is possible. Administrative actions require authenticated sessions with automatic timeout.

Every significant action is recorded in an immutable audit log, including logins, configuration changes, data exports, and conversation access. Logs are retained for compliance review and can be exported on request.

Before a visitor begins chatting, they can be presented with a customizable consent screen that explains how their data will be used. Consent acceptance is recorded with timestamps. You control the consent text and whether it is required.

Our platform runs on AWS infrastructure with data residency in the United States. We use managed services with built-in redundancy and automated backups. Infrastructure access is restricted to authorized personnel with multi-factor authentication.