Security, documented.
No vague assurances. Here is exactly how we protect your data and your customers' data, the encryption, access controls, and infrastructure behind every conversation.
What's in place today
These controls are live in production. OyeChats does not yet hold formal third-party certifications such as SOC 2 or ISO 27001; our data processing is aligned with the GDPR, and we're happy to walk enterprise teams through our practices in detail.
GDPR
Aligned
HTTPS / TLS
Enforced everywhere
Encryption at rest
AES-256, managed cloud
Signed webhooks
HMAC-SHA256
Encryption
- ✓TLS for all data in transit (HTTPS / WSS)
- ✓Data encrypted at rest by our managed cloud storage (AES-256)
- ✓Webhook payloads signed with HMAC-SHA256
- ✓Passwords hashed with bcrypt, never stored in plain text
Infrastructure
- ✓Hosted on managed cloud infrastructure
- ✓Automated backups managed by our cloud provider
- ✓Rate limiting on API endpoints
- ✓Error and uptime monitoring via Sentry
Access Control
- ✓Role-based access control for operators and admins
- ✓Password and Google OAuth sign-in
- ✓Signed session tokens with expiry
- ✓API keys scoped to the minimum required permissions
Data and Privacy
- ✓GDPR-aligned data processing
- ✓Email addresses redacted in application logs
- ✓Right to erasure, delete visitor data on request
- ✓Prompt-injection guards on every AI message
Infrastructure at a glance
Managed Postgres
Primary application datastore
Background job queue
Async tasks via ARQ + Redis
Error monitoring
Incident alerting via Sentry
AI observability
Trace logging via Langfuse (Enterprise)
Cloud object storage
Documents and media via Cloudflare R2
Transactional email
Notifications and summaries via Brevo
Found a vulnerability? We have a responsible disclosure program.
support@oyechats.com