Home Legal Security

Security & Compliance

How ConvoAI protects your data, your customers' data, and your business operations.

Last updated: May 22, 2026 ConvoAI by Serverlys
Terms of Service Privacy Policy Cookie Policy Acceptable Use DPA
Summary: ConvoAI encrypts all data in transit (TLS 1.3) and at rest (AES-256). AI responses are validated against your knowledge base to prevent hallucinations. We never train AI models on your data. Multi-tenant isolation ensures your data is never accessible to other accounts. All webhook signatures are verified with HMAC-SHA256. PII is automatically redacted from AI context. Full audit logs are available for enterprise plans.

1. Security Overview

ConvoAI is built with security as a foundational principle, not an afterthought. Our platform processes sensitive business conversations and customer data, and we take that responsibility seriously.

  • Multi-tenant isolation — Each business account is fully isolated. Agents, contacts, conversations, and knowledge base data are scoped by account at the database level.
  • Principle of least privilege — Team members are assigned roles (Admin, Member, Viewer) with granular permissions. API keys are scoped to the account that created them.
  • Defense in depth — Multiple layers of security including CSRF protection, Content Security Policy (CSP with nonces), HSTS, rate limiting, and input validation.

2. Architecture Security

  • Framework — Built on Django 6.0, which provides built-in protection against SQL injection, XSS, CSRF, and clickjacking.
  • Database — PostgreSQL with enforced statement timeouts (15s), connection health checks, and row-level security on all tables.
  • Caching — Redis-backed caching for rate limits and session management. In production, sessions are stored in Redis (not cookies).
  • Background tasks — Django 6.0 native background tasks. All worker threads are daemon threads to enable graceful shutdown.
  • Error monitoring — Sentry integration for real-time error tracking and alerting. PII is excluded from error reports.

3. Data Protection

  • Encryption in transit — All connections use TLS 1.3. HSTS is enforced with a 1-year max-age and preload.
  • Encryption at rest — PostgreSQL databases use AES-256 encryption at rest. Backups are encrypted.
  • PII redaction — Personal information (phone numbers, email addresses, credit card patterns) is automatically redacted before being sent to AI models for processing.
  • Soft delete — Contacts and conversations support soft deletion, allowing data recovery within a retention window before permanent removal.
  • Data retention — Signal tables are automatically pruned every 24 hours via scheduled jobs. AI router logs are retained for 30 days.

4. AI Safety

ConvoAI employs a multi-layered AI safety system to ensure accurate, safe, and on-brand responses:

  • Knowledge Base Grounding — AI responses are verified against your knowledge base using semantic vector search. Factual claims (prices, hours, policies, contacts, locations) are extracted and individually verified.
  • Hallucination prevention — Responses with a grounding score below 50% are automatically blocked and escalated to a human agent. Partially grounded responses (50-80%) are flagged with warnings.
  • Prompt leakage protection — System prompts and internal instructions are never exposed to end users. A dedicated filter strips any leaked system content.
  • Response validation — Multi-layered validation: instant safety checks (forbidden claims, PII harvesting, prompt injection) followed by knowledge base verification.
  • No model training on your data — Your conversations and knowledge base are never used to train AI models. All AI API calls are stateless.
  • Human escalation — Automatic escalation to human agents when AI confidence is low, with full handoff context (what AI tried, customer mood, conversation summary).

5. Authentication & Authorization

  • Email-only authentication — Powered by django-allauth with email verification. No username-based accounts.
  • Password security — Enforced minimum length, common password checks, similarity checks, and numeric-only prevention.
  • Session security — Secure cookies in production (HttpOnly, Secure, SameSite). 30-day rolling sessions with server-side storage.
  • Team RBAC — Three roles: Admin (full access), Member (inbox + contacts), Viewer (read-only). Permissions enforced at the view level.

6. API Security

  • Bearer token authentication — API keys are hashed (SHA-256) before storage. Raw keys are shown once at creation.
  • Rate limiting — Plan-based rate limits (30-3,000 req/min). Standard headers returned on every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.
  • Webhook verification — All inbound webhooks (Meta, Shopify, Retell, Stripe) are verified using HMAC-SHA256 signatures. Outbound webhooks include HMAC signatures for consumer verification.
  • SSRF protection — Outbound webhook URLs are validated against SSRF patterns (private IPs, localhost, metadata endpoints).
  • Input validation — All API inputs are validated with type checking and length limits. Message content is truncated to prevent token bombing (2,000 char limit).

7. Infrastructure

  • Hosting — Self-hosted on dedicated infrastructure via Coolify/EasyPanel. No shared hosting.
  • Database — Managed PostgreSQL with AI-optimized vector search. Row-level security enforced on all tables.
  • Deployment — Automated deployments with database connectivity checks and migration verification before going live. Failed migrations block deployment.
  • Monitoring — Sentry for error tracking, structured event logging, usage tracking per agent per day.

8. Compliance

  • GDPR — Full Data Processing Agreement (DPA) available per GDPR Article 28. Data subject rights (access, deletion, portability) supported. View DPA.
  • WhatsApp Business Policy — Compliant with Meta Business Platform terms. Opt-in/opt-out tracking, 24-hour conversation window enforcement, and template message compliance.
  • PCI DSS — ConvoAI never stores credit card numbers. Payment processing is handled entirely by Stripe (PCI Level 1 certified).
  • Data residency — Database hosted in your chosen region. No cross-border data transfers without explicit consent.

9. Incident Response

In the event of a security incident:

  • We will notify affected customers within 72 hours as required by GDPR Article 33.
  • Our incident response includes identification, containment, eradication, recovery, and post-incident analysis.
  • Audit logs are maintained for all administrative actions and API access.
  • Security vulnerabilities can be reported to our security team (see contact below).

10. Security Contact

For security inquiries, vulnerability reports, or compliance questions:

  • Email: security@convoai.cloud
  • We aim to respond to security reports within 24 hours.