Security & Privacy

Engineered to act. 
Built to protect. 

Bank-grade encryption, strict tenant isolation, and zero AI model training on your customer data. Here's how we keep your store safe.

AES-256-GCM

Bank-grade encryption

Every API key, credential, and session token is encrypted at rest and in transit, with per-project keys. Nothing is stored in plain text.

Zero training

Your data is yours

Customer conversations and store data are never used to train AI models. We don't sell, rent, or share your data. Full stop.

Domain-verified

Domain-locked widget

The chat widget loads only on approved domains, authenticates sessions with signed nonces, and blocks abuse with rate limits.

Granular roles

Role-based access

Four roles: Owner, Admin, Technical Specialist, Chat Supervisor. Supervisors can be limited to specific stores.

Practices

Security goes deeper than checkboxes.

The technical practices we follow on every line of code, every database write, and every API call.

01

Encryption at rest

AES-256-GCM with per-project keys. Database backups encrypted at the volume level. Secrets stored in a hardened vault, never in code.

02

Encryption in transit

TLS 1.3 across every public endpoint. HSTS blocks HTTP downgrade attacks. Auth cookies set Secure, HttpOnly, SameSite to mitigate XSS and CSRF.

03

Authentication

Dashboard JWTs in HttpOnly cookies. Widget sessions chain 5-minute HMAC tokens, nonces, and device-bound JWTs. SAML SSO and MFA available.

04

Tenant isolation

Postgres Row-Level Security policies on every table. Organization and project scoping enforced in the database, not just the app.

05

Rate limiting & abuse

Per-IP and per-session rate limits on every public endpoint. Widget bootstrap nonces are single-use and expire in 60 seconds. Automatic lockouts on credential abuse.

06

Backups & recovery

Daily encrypted backups with 30-day retention. Point-in-time recovery for the production database. Restore procedures documented and validated periodically.

07

Privacy & data requests

GDPR access, portability, and deletion requests are honored within 30 days. When a customer or store asks us to remove their data, we delete everything we hold.

08

Vulnerability disclosure

Published security@egentify.com address for responsible disclosure. We acknowledge reports within 48 hours and patch critical issues within 7 days.

Audit trail

Every sensitive action, on the record.

Live
  • Order refunded · maya@brindlewick.co just now
  • Member invited · owner@brindlewick.co 2m ago
  • SSO configuration saved · Egentify staff 9m ago
  • Plan changed · owner@brindlewick.co 27m ago
  • Project settings updated · sam@brindlewick.co 1h ago

Actor, timestamp, and full diff, retained and exportable.

FAQ

Common security questions.

Need a security questionnaire, a Data Processing Agreement, or to talk to our team about a specific control?

Contact security

Have a question? We'll answer it.

Need a security questionnaire filled out, a Data Processing Agreement, or just want to chat with someone about how we keep your data safe? Drop us a note and we'll get back to you the same day.

Contact Us Start Free