On this page

Frequently Asked

Security & Privacy

Frequently asked questions about Chatsby data security, encryption, compliance, privacy, and infrastructure.

Security FAQ

Security and privacy are foundational to the Chatsby platform. This page answers the most common questions about how we protect your data, comply with regulations, and maintain the integrity of our infrastructure. For general platform questions, see the General FAQ. For billing questions, see the Billing FAQ.

How is my data secured?

Chatsby employs a multi-layered security approach to protect your data:

  • Encryption in transit --- All data transmitted between your browser, the Chatsby widget, and our servers is encrypted using TLS 1.2 or higher. This includes API requests, webhook payloads, and dashboard interactions.
  • Encryption at rest --- All stored data, including your training data, conversation logs, and account information, is encrypted at rest using AES-256 encryption.
  • Network security --- Our infrastructure is protected by firewalls, intrusion detection systems, and DDoS mitigation. All internal service-to-service communication is encrypted.
  • Access controls --- Chatsby employees access production systems only through authenticated, audited channels with role-based permissions and multi-factor authentication.

Is Chatsby SOC 2 compliant?

Chatsby is committed to achieving and maintaining SOC 2 Type II compliance. We follow the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) in our operations and infrastructure design. Contact [email protected] for the latest information on our compliance status and to request our SOC 2 report.

Is Chatsby GDPR compliant?

Yes. Chatsby is fully compliant with the General Data Protection Regulation (GDPR). Our compliance measures include:

  • Data Processing Agreement (DPA) --- Available for all customers. See the DPA section below.
  • Data minimization --- We collect and process only the data necessary to provide the service.
  • Right to access --- You can export all your data at any time from the dashboard.
  • Right to deletion --- You can delete individual data sources, conversations, or your entire account. Deletion is permanent and irreversible.
  • Right to portability --- Your training data and conversation logs can be exported in standard formats.
  • Data residency --- See the "Where is data stored?" section below for information on data hosting regions.
  • Lawful basis --- We process data under legitimate interest (providing the service) and contractual necessity. We do not sell or share customer data with third parties for advertising purposes.

Where is data stored?

Chatsby's infrastructure is hosted on enterprise-grade cloud providers with data centers in the following regions:

Data TypeCloud ProviderPrimary Region
Application dataAWSUS East (Virginia)
Training data and embeddingsAWSUS East (Virginia)
File storageAWS S3US East (Virginia)
CDN (widget delivery)CloudflareGlobal edge network

Enterprise customers can request dedicated data residency in specific regions (EU, APAC) as part of their enterprise agreement. Contact [email protected] for details.

Is my training data used to train AI models?

No. Your data is used exclusively to power your own AI agents. Chatsby does not use customer data to train, fine-tune, or improve any AI models --- neither our own nor any third-party models. Your knowledge base is isolated, private, and accessible only to your account.

We also ensure that the underlying AI model providers (such as OpenAI) do not use data sent through our API for model training. We use API agreements that explicitly prohibit training on customer inputs and outputs.

How is data encrypted?

StateMethodStandard
In transitTLS 1.2+Industry standard for HTTPS
At restAES-256FIPS 140-2 compliant encryption
DatabaseEncrypted storage volumesAWS-managed encryption keys
BackupsAES-256 encryptedSame standard as primary storage
API keysHashed and saltedNever stored in plaintext

Can I delete my data?

Yes. You have full control over your data and can delete it at any time:

  • Individual data sources --- Delete specific training documents, URLs, or text entries from the Sources tab.
  • Conversations --- Delete individual conversations or bulk-delete from the Conversations tab.
  • Entire agent --- Delete an agent and all associated data (training data, conversations, settings) from the agent's Settings page.
  • Entire account --- Delete your account and all data from Account Settings > Delete Account.

When you delete data, it is permanently removed from our primary systems. Due to the nature of distributed systems, it may take up to 30 days for deleted data to be purged from all backup systems.

How are API keys secured?

  • API keys are generated with cryptographic randomness and are displayed only once at creation time.
  • Keys are stored as salted, one-way hashes in our database. We cannot retrieve your key after creation --- if you lose it, you must generate a new one.
  • You can revoke API keys at any time from Settings > API Keys.
  • API keys should be stored securely on your server (environment variables or secret management tools) and never exposed in client-side code.
  • All API requests are authenticated and logged for auditing purposes.

What about PII in conversations?

Personally identifiable information (PII) may be present in conversations if visitors share it voluntarily (e.g., name, email, phone number). Chatsby handles PII as follows:

  • Storage --- PII in conversations is stored encrypted alongside the conversation data and is subject to the same security controls.
  • Access --- Only your account's authorized team members can view conversation content.
  • Deletion --- You can delete conversations containing PII at any time. You can also configure automatic conversation retention policies (available on Pro and Enterprise plans) to automatically delete conversations after a specified period.
  • Minimization --- Configure your agent's system prompt to instruct it not to request unnecessary PII. Only collect what you need.
  • Masking --- Enterprise customers can enable PII detection and automatic masking in conversation logs. Contact [email protected] for details.

You are responsible for ensuring that your use of Chatsby complies with applicable privacy laws (GDPR, CCPA, etc.) regarding PII collection and processing. We recommend adding a privacy notice to your chat widget that informs visitors about data collection.

Do you have a Data Processing Agreement (DPA)?

Yes. Chatsby provides a DPA for customers who require one under GDPR or other data protection regulations. The DPA covers:

  • The types of personal data processed
  • The purposes and duration of processing
  • The obligations of both parties
  • Sub-processor disclosures
  • Data breach notification procedures
  • Data deletion and return procedures

To request a signed DPA, contact [email protected]. Enterprise customers receive a DPA as part of their standard onboarding process.

How do I report a security vulnerability?

Chatsby maintains a responsible disclosure program. If you discover a security vulnerability, please report it responsibly:

  • Email: [email protected]
  • Scope: Any vulnerability affecting chatsby.co, api.chatsby.co, the chat widget, or the dashboard
  • Response time: We acknowledge reports within 48 hours and provide a timeline for remediation
  • Safe harbor: We do not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.

What access controls and audit logging are available?

Team Access Controls

FeatureAvailability
Role-based accessPro and Enterprise plans. Assign Owner, Admin, or Member roles with different permission levels
Invite-only accessAll plans. Team members must be explicitly invited to access your account
Two-factor authentication (2FA)Available for all accounts. Strongly recommended for all team members
SSO (Single Sign-On)Enterprise plans. SAML 2.0 and OIDC supported

Audit Logging

Chatsby maintains audit logs of significant account activities, including:

  • Team member logins and logouts
  • Agent creation, modification, and deletion
  • Data source additions and deletions
  • Integration configuration changes
  • API key creation and revocation
  • Billing and plan changes

Audit logs are available to account owners and admins on Pro and Enterprise plans via Account Settings > Audit Log. Enterprise customers can export audit logs for integration with external SIEM systems.

What is your uptime guarantee and SLA?

Chatsby targets 99.9% uptime for the core platform, including the chat widget, API, and dashboard. Our historical uptime has consistently met or exceeded this target.

PlanSLA
FreeNo SLA
StarterNo formal SLA, 99.9% target
Pro99.9% uptime SLA
EnterpriseCustom SLA, up to 99.99% with dedicated infrastructure

In the event of downtime that breaches your SLA, you may be eligible for service credits. SLA terms and credit calculations are detailed in your plan's terms of service or enterprise agreement.

We publish real-time and historical uptime information on our Status Page.

Do you conduct third-party security audits?

Yes. Chatsby engages independent third-party security firms to conduct regular assessments of our platform, including:

  • Penetration testing --- Annual penetration tests of our web application, API, and infrastructure.
  • Code review --- Periodic security-focused code reviews of critical components.
  • Infrastructure audit --- Regular review of our cloud infrastructure configuration and security posture.

Reports from these assessments are available to Enterprise customers under NDA. Contact [email protected] to request a summary report.

Billing & Usage