Security

Your Data is Safe With Us

Enterprise-grade security built from the ground up. We protect your business data and your customers' information with industry-leading practices.

Protection

How We Keep You Secure

Encryption

TLS 1.3 for data in transit. AES-256 encryption for data at rest. Your messages are always protected.

Authentication

Multi-factor authentication, secure session management, and API key rotation. Powered by Clerk.

Infrastructure

UK-based servers, automated backups, firewall protection, and DDoS mitigation. 99.9% uptime SLA.

Monitoring

24/7 system monitoring, intrusion detection, real-time alerting, and comprehensive audit logs.

Application Security

Helmet.js security headers on all API responses

CORS policies restricting cross-origin requests

Input validation and sanitisation on all endpoints

Rate limiting to prevent brute force and DDoS attacks

SQL injection protection via Prisma ORM parameterised queries

Secure webhook verification for WhatsApp callbacks

Role-based access control (Owner, Admin, Agent)

Infrastructure Security

UK-based data centre (London) for data sovereignty

UFW firewall with strict port access control

SSH key-based authentication for server access

Automated daily database backups with point-in-time recovery

Process isolation with PM2 process manager

Nginx reverse proxy with request filtering

Regular system updates and security patches

AI & Data Processing Security

Customer messages processed through our AI pipeline are not used to train external models. We use OpenAI's API with data processing agreements in place. Knowledge embeddings are stored per-organisation with strict isolation — no cross-contamination between business accounts.

Incident Response

We maintain a documented incident response plan that includes immediate containment and assessment, customer notification within 72 hours for data breaches, root cause analysis and remediation, post-incident review and process improvement, and ICO notification where required by law.

Responsible Disclosure

If you discover a security vulnerability in Convoo, we encourage responsible disclosure. Please email security@convoo.io with details. We commit to acknowledging reports within 24 hours and resolving critical vulnerabilities within 48 hours.