Security overview

Encryption

• TLS 1.2+ for every connection (web, API, WhatsApp Cloud API, calling, TURN)
• AES-256 at rest for the database
• WhatsApp access tokens + app secrets encrypted in the DB, never returned to the browser
• Audio media on calls flows over TURN-TLS port 443 — works through any firewall

Access control

• Three roles: Admin, Manager, Agent — with permissions tuned per role
• Sidebar filtered + page-level RBAC checks
• Phone masking for sensitive workflows
• Two-factor authentication available
• Session timeout controls for admins

API keys

• Per-key scopes — issue the smallest set needed
• Per-key audit log (lastUsedAt)
• Hashed only — full secret never persisted
• Revoke instantly from /settings/api-keys

AI

• BYOK by default — your provider key, your usage
• Platform AI is opt-in per workspace
• No customer conversations train any model

Data ownership

• CSV export of contacts, conversations, deals — anytime
• Webhook events for every change so you can mirror to your warehouse
• Configurable retention windows
• GDPR DSAR / deletion within 30 days