Security at Conviro

In Transit: All data is encrypted using TLS 1.2+ with 256-bit encryption. All API endpoints, webhooks, and widget connections are HTTPS-only. HSTS is enforced with a max-age of 1 year including subdomains.

At Rest: Customer data is encrypted using AES-256 at the storage layer. Database volumes use full-disk encryption. Backup files are encrypted with separate keys.

Secrets Management: API keys, tokens, and credentials are encrypted at rest with separate key hierarchies and are never logged or exposed in API responses.

Data Center: All production infrastructure is hosted in ISO 27001-certified data centers in the European Union (Germany). Servers are not accessible from the public internet.

Network Isolation: Database, cache, and message queue services run in private networks with no public IP addresses. Only the API and web application have public endpoints, behind a reverse proxy with rate limiting and DDoS protection.

Monitoring: 24/7 infrastructure monitoring with automated alerting. Uptime target: 99.9%.

Authentication: Email/password with bcrypt hashing (salt rounds: 12) or Google OAuth 2.0. JWT-based access tokens with 15-minute expiry and cryptographically random refresh tokens.

Authorization: Role-based access control (RBAC) with Owner, Admin, and Agent roles. API key authentication for programmatic access with per-key permission scoping.

Rate Limiting: Per-IP and per-account rate limits on all endpoints. Authentication endpoints have stricter limits to prevent brute force attacks.

GDPR: Full compliance with the EU General Data Protection Regulation. Data Processing Agreements (DPA) available for Enterprise customers. Privacy-by-design principles applied throughout the platform.

Data Residency: All customer data is stored and processed within the EU. AI model providers process conversation data under DPAs with appropriate safeguards for any US transfers (EU-US DPF, Standard Contractual Clauses).

Cookie Compliance: GDPR-compliant cookie consent banner with granular category control (Essential, Analytics, Marketing). Consent records are stored for audit purposes.

Estonian Data Protection Act: Compliant with local Estonian regulations. Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Conversation Data: Retained based on your workspace settings (default: 90 days). Configurable per workspace.

Account Deletion: When you delete your account or a chatbot, all associated data is immediately hard-deleted from active databases. Encrypted backups containing the deleted data are permanently removed within 30 days.

Right to Erasure: GDPR Article 17 requests are processed within 30 days. Contact [email protected].

Data Isolation: Your knowledge base and conversation data is never used to train AI models. Each workspace's data is strictly isolated.

Provider Agreements: We maintain Data Processing Agreements with all AI providers (Anthropic, OpenAI, Google). Zero-retention API agreements ensure providers do not store your data.

Content Filtering: AI outputs are monitored for safety. Prompt injection protections and content safety filters are applied to all AI interactions.

If you believe you have found a security vulnerability in Conviro, please report it responsibly to our security team. Do not disclose the vulnerability publicly until we have had an opportunity to address it.

Contact: [email protected]

We commit to:

• Acknowledging your report within 24 hours.
• Providing a timeline for remediation within 72 hours.
• Keeping you informed of our progress.
• Not pursuing legal action against good-faith security researchers.