Security

How your data is protected.

Last updated: July 2026

Data at rest

All customer data — invoices, transactions, PII — is stored in a Postgres database with AES-256 disk encryption. Documents (PDFs, images) are kept in encrypted object storage with signed, expiring URLs.

Data in transit

All traffic is served over TLS 1.2+. WhatsApp media is fetched over authenticated channels and never proxied through third parties.

Access control

Every table enforces Row-Level Security. A user can only read or write rows tied to a business they own or are the assigned CA on. Admin actions are gated by role and require an authenticated session.

Webhooks

Inbound webhooks (WhatsApp, integrations) are verified with HMAC-SHA256 signatures using a per-provider secret. Replayed delivery IDs are rejected. Rate limits are enforced per phone number.

Secrets

API keys and service credentials live in the platform secrets store — never in source code, never in the browser bundle. Publishable keys are the only client-side credentials.

Retention

You can request export or deletion of your data at any time by writing to us. See Privacy.

Disclosure

Found a vulnerability? Reach us via the Contact page. We respond within 72 hours.