Security & Privacy

Built for trust, by design.

Suppabot runs your AI support assistant on top of your own content. Below is a straight account of how we build it: how your data is isolated, how it’s encrypted, who can touch it, and the control you keep over it.

These are our engineering practices and commitments — not third-party certifications. If you have a security questionnaire, we’re happy to complete it.

Per-tenant isolation

Every account's data lives behind its own tenant boundary. Queries against your conversations, contacts, and knowledge base are scoped to your organization, so one customer's data is never visible to another.

Encrypted end to end

Connections to Suppabot are TLS-encrypted. Your data is stored on managed Postgres (Neon) that encrypts at rest. Internal service calls run over encrypted transport too.

Your content, your control

The bot answers from the content you give it. Your data stays yours — you can export it or request deletion at any time, and we never sell it or train shared models on it.

Security architecture

The controls below describe how Suppabot is built. They map to the standard technical safeguards — isolation, encryption, access control — used across modern SaaS.

Per-tenant data isolation

Suppabot is multi-tenant by design. Reads and writes against tenant data are scoped to your organization at the application layer, so requests can only reach the data that belongs to your account.

Encryption in transit

All connections to Suppabot use TLS, enforced at the edge by our hosting provider. Calls between internal services (database, cache, AI inference, email) run over encrypted transport.

Encryption at rest

Persisted data lives in managed Postgres (Neon), which encrypts storage at rest using the underlying cloud provider's disk encryption.

Modern authentication & session security

Sign-in is handled by a modern auth stack with email verification, OAuth (Google) sign-in, and secure, server-validated sessions. A role model separates account managers from staff so people only get the access they need.

Least-privilege data access

Access to data is granted on a need-to-know basis. Administrative and back-office operations are scoped and gated rather than open by default, and changes to your account are attributable.

Answers grounded in your content

Responses are generated from the website pages and documents you train the bot on, not from open-ended generation. Grounding the model in your own content keeps answers on-topic and reduces hallucination.

Your data, your control

Your content and conversations are yours. We process them to run your assistant — and you stay in control of them.

  • You own your data. The content you upload and the conversations your visitors have belong to you. We process it to run your assistant — nothing more.
  • Export on request. Need your conversations or contacts out of the platform? Request an export and we'll provide your data.
  • Deletion on request. Ask us to delete your account data and we will, subject to any limited records we're legally required to retain.
  • No model training on your data. We don't use your content to train shared or third-party models. Your knowledge base powers only your own assistant.

Subprocessors

We rely on a small set of reputable infrastructure providers to run Suppabot. Each one processes data only to deliver the part of the service shown below.

ServicePurposeData
VercelHosting & edge computeRequest data
NeonManaged Postgres databasePersisted application data
OpenAIAI inference (chat + embeddings)Chat content (not used to train shared models)
UpstashRedis (rate limiting, cache)Ephemeral keys
ResendTransactional emailRecipient address + email body
StripeBillingPayment method & billing details

Need a complete, current subprocessor list or a Data Processing Addendum? Email security@suppabot.com.

Privacy & consent

We’re transparent about what we collect and why. Our Privacy Policy explains the data we process and your rights over it; our Terms of Service set out how the product may be used. Where consent to legal terms is required, we capture it at sign-up.

FAQ

Is my data isolated from other customers?

Yes. Suppabot is multi-tenant, and tenant data is scoped to your organization at the application layer. One account's conversations, contacts, and knowledge base are not visible to another.

Is my data encrypted?

Connections to Suppabot are protected with TLS in transit, and persisted data is stored on managed Postgres that encrypts at rest.

Do you train AI models on my content?

No. Your content is used to power your own assistant's answers. We don't use it to train shared or third-party models.

Who do you share data with?

Only the infrastructure subprocessors listed above — hosting, database, AI inference, email, billing — each used to operate the product. We don't sell your data.

How do I report a security concern or vulnerability?

Email security@suppabot.com. We review reports promptly and aim to respond within one business day. Researchers acting in good faith will not face legal action.

Have a security questionnaire?

We’re happy to walk through our practices, complete your questionnaire, or share a Data Processing Addendum. Reach out and we’ll get you what you need.

Or email security@suppabot.com