Security
How your data is protected.
Last updated: July 2026
Data at rest
All customer data — invoices, transactions, PII — is stored in a Postgres database with AES-256 disk encryption. Documents (PDFs, images) are kept in encrypted object storage with signed, expiring URLs.
Data in transit
All traffic is served over TLS 1.2+. WhatsApp media is fetched over authenticated channels and never proxied through third parties.
Access control
Every table enforces Row-Level Security. A user can only read or write rows tied to a business they own or are the assigned CA on. Admin actions are gated by role and require an authenticated session.
Webhooks
Inbound webhooks (WhatsApp, integrations) are verified with HMAC-SHA256 signatures using a per-provider secret. Replayed delivery IDs are rejected. Rate limits are enforced per phone number.
Secrets
API keys and service credentials live in the platform secrets store — never in source code, never in the browser bundle. Publishable keys are the only client-side credentials.
Retention
You can request export or deletion of your data at any time by writing to us. See Privacy.
Disclosure
Found a vulnerability? Reach us via the Contact page. We respond within 72 hours.