Your customers' trust — protected at every layer.

All traffic between visitors, our API, the SPA, and the embedded widget is HTTPS-only. TLS certificates are auto-issued and auto-renewed by AutoSSL on our hosting platform. Insecure HTTP requests are 301-redirected at the edge — no plaintext path exists.

Customer passwords are never stored in plaintext. We use Argon2id with conservative memory + time costs — the modern winner of the Password Hashing Competition and the recommended choice over bcrypt / scrypt / PBKDF2 for new systems. Even our database is unable to read user passwords.

Sessions use signed JWTs issued by our API after argon2 password verification or successful OAuth round-trip with Google / LinkedIn. The OAuth callback URI points at our backend — not at the browser — so OAuth client secrets never reach the client. CSRF protection on the OAuth state parameter uses HMAC signing with the JWT secret, no server-side session table needed.

Every database table holding tenant data carries a tenant_id column, and every authenticated API route enforces the JWT's tenant_id at the query level. There is no SQL path that allows tenant A to read tenant B's widgets, conversations, leads, or usage data. This invariant is unit-tested at the route handler layer.

Card numbers, CVVs, and full PANs never touch our infrastructure. Razorpay (for INR) and Paddle (for USD and international, as Merchant of Record) handle every step of payment capture on their PCI-compliant hosted checkout pages. We store only the last 4 digits, brand, and gateway tokens — enough to display a saved card to the customer, never enough to charge one off-network.

Unexpected runtime errors (database unreachable, JSON parse failures, library throws) are sanitised before the response leaves the API. Internal SQL strings, parameter values, stack frames, and connection errors are replaced with a generic "Something on our end is misbehaving" message. The browser console logs nothing exploitable for an attacker; engineers see real errors in the server logs.

The embedded voice widget loads into a closed shadow DOM with all CSS inlined — it cannot read host-page state, cookies, or local storage by accident, and host-page CSS cannot leak into the widget. Mic access uses the standard browser permission prompt; we never bypass user consent for audio.

Per-IP rate limits (30 voice sessions per hour, 60 inline-capture submits per hour) bound the worst-case behaviour of a hostile script. Per-tenant outbound limits prevent a single customer from exhausting our quota with the upstream voice provider.

Customers who run authenticated experiences on their own site can pass a signed JWT through the widget to identify the visitor. The token is verified server-side with HS256 against the customer's own secret (generated per widget). Verified claims surface in conversation metadata for post-call CRM joining.