Security

Built secure from the ground up

Enterprise-grade security that ships with the product — not bolted on after. Every layer of the stack is designed with least-privilege and defence-in-depth principles.

Security overview

Argon2id Password Hashing

All passwords are hashed with Argon2id — the winner of the Password Hashing Competition and the current OWASP recommendation. Memory-hard by design; resistant to GPU and ASIC cracking.

JWT RS256 Tokens

Asymmetric RS256 signing means only the server can issue valid tokens. Access tokens expire in 15 minutes; refresh tokens in 7 days. Token rotation on every refresh prevents replay attacks.

TOTP Two-Factor Auth

Time-based OTP (TOTP) 2FA with QR code enrollment, available for all roles. Compatible with Google Authenticator, Authy, 1Password, and any TOTP-compliant app. Enforced at the admin level.

Encrypted Secrets at Rest

All tenant secrets — API keys, webhook signing tokens, third-party credentials — are encrypted at rest using the configured encryption_key. No plaintext secrets exist in the database.

Rate Limiting & Account Lockout

Login endpoints are rate-limited via Redis with configurable thresholds. Repeated failed attempts trigger temporary account lockout. Protects against credential-stuffing and brute-force attacks without additional infrastructure.

Self-Host Data Residency

The self-hosted deployment option removes all third-party data exposure entirely. With ALLOW_OLLAMA_IN_PRODUCTION=true, no conversation data, embeddings, or documents leave your network.

Security Model

Layered defences at every tier

Authentication & Session

  • Argon2id for password storage
  • JWT RS256 — short-lived access tokens (15 min)
  • Refresh token rotation (7-day max session)
  • TOTP 2FA enforced per role
  • Widget keys (cb_live_*) scoped to a single bot
  • Session tokens separate from JWT (operator console)

Infrastructure & Data

  • Encrypted secrets at rest (encryption_key)
  • Per-tenant secret isolation — tenants cannot access each other's keys
  • Redis rate limiting on all auth endpoints
  • Account lockout after configurable failed attempts
  • nginx TLS termination in Docker Compose stack
  • Self-host option: zero third-party data exposure

Security questions? Let's talk.

Our team is available to discuss your specific compliance requirements, conduct a security review, or walk you through the self-hosted deployment model.

Contact security team