The boring part, written honestly.

Principles

• Default-deny. Every API route is closed unless an authenticated, authorized request opens it. Public routes (like the demo) are an explicit short list.
• One tenant per query. The database refuses to return another tenant's row, even if a query forgets to filter for it. We enforce this in code lint, not just in policy.
• Tamper-evident, not tamper-proof. A determined database admin can change anything; our job is to make every action visible and reconstructable.
• Honest about scope. We don't claim certifications we don't hold. We tell you what we have and what we're working on.

Tenant isolation

TheChattyAI is multi-tenant. Each customer is a separate "tenant" in our database. Calls, customers, bookings, and operations data are isolated using PostgreSQL row-level security. Every database connection sets a tenant context (app.tenant_id) before any read or write, and the database physically refuses to return rows from a different tenant.

We've written internal lint gates that fail the build if any new database write skips the tenant context. We also run a separate router-plane connection (with a different role) that has read-only access to a tiny set of public routing tables. The rest is fully gated.

Encryption

• In transit. All traffic between your browser, our backend, and our subprocessors uses TLS 1.2 or higher. HSTS is set on the marketing site.
• At rest. Our managed PostgreSQL provider (Render) encrypts the database disk. Audio recordings are stored on Cloudinary with provider-side encryption.
• Audio playback. When you (or your team) replay a recorded call, the audio is fetched via a short-lived signed URL (HMAC-SHA256, 10-minute TTL) so links don't survive screenshots or cache leaks.
• Field-level encryption. We do not currently field-encrypt voice transcripts or customer names beyond what the database disk provides. For medical workloads, see the HIPAA section below.

Authentication and access

• Customer dashboard. Email + password with rate-limited login. JWT-based session tokens scoped to a single tenant.
• Internal team. Hardware-key MFA on every account that can read customer data.
• Service-to-service. Internal calls between Pipecat, Inngest, and our backend are gated by a shared INTERNAL_SERVICE_KEY with timing-safe comparison.
• Webhooks. Every inbound webhook (Stripe, Twilio, Cal.com) is verified using the provider's signature scheme.

Audit trail

Every customer-affecting action (a call answered, a booking made, an SMS sent, an agent decision taken) writes a row to an append-only event ledger. The ledger has database triggers that reject UPDATE and DELETE so the history is structurally tamper-evident.

Every row carries the actor (which agent or human did the action), a parent event (so you can reconstruct fan-out chains), and an idempotency key (so retries don't double-count). If you ever need to know exactly what your AI agents did and why, the ledger is the system of record.

Observability

We use Langfuse on the Pro plan for agent tracing. Every voice call, every agent decision, and every LLM exchange leaves a trace that we can inspect during incident response. Traces are retained for three years. Sampling and a 429-circuit-breaker keep observability cost predictable while preserving full fidelity for incident debugging.

Incident response

• Detection. Health checks on every layer (API, voice bridge, database, payment provider) ping our pager.
• Communication. Status updates land on the support email thread within an hour of a P0 confirmation.
• Notification. If unauthorized access affects your data, we will tell you within 72 hours of confirmation, with a plain description of what we know, what we don't, and what we're doing.
• Post-mortem. Every P0 incident gets a written post-mortem, shared with affected customers.

Subprocessors

See the Privacy Policy › Service Providers section for the current list of vendors that touch your data, what they receive, and why.

HIPAA / BAA

What we have today

• HIPAA-capable infrastructure. Our database (Render), voice (Twilio), and observability (Langfuse Pro) layers all support Business Associate Agreements.
• Per-tenant isolation at the row-security layer: a hard requirement for PHI workloads.
• Append-only audit ledger covering the agent-decision boundary you'd need to evidence in a HIPAA review.
• BAA available on request for medical, dental, and other covered-entity tenants. We sign before any PHI is processed.

What we don't claim

• We do not advertise as a "HIPAA-certified" product. There is no such certification. We are HIPAA-capable, with a real BAA process, used by tenants on a case-by-case basis.
• We do not currently encrypt PHI at the application field level. We rely on the database-disk and provider-level encryption. If your security review requires field-level encryption, tell us; we have a design for it but haven't shipped it.

What we don't claim

• SOC 2 Type II. We are not yet audited. We're building toward it; ask if you need a target date.
• ISO 27001. Same.
• PCI Level 1. We don't store payment cards on our side. Stripe handles that and is PCI Level 1.
• "Bank-grade encryption" or "military-grade security." Marketing phrases that don't mean anything specific. We tell you what algorithms we use and what we don't.

Architecture

High-level: Twilio handles the phone network. Pipecat orchestrates inbound calls and runs Luna and Lucy on top of Gemini Live. Our backend on Render handles the operations layer (Aria), the database, and SMS via Twilio. Background work runs on Inngest. The marketing site is on Vercel. Recordings rehost to Cloudinary from Twilio for durable storage and faster playback.

We designed the boundaries so a failure in any one provider is contained: a Twilio outage doesn't break the database; a Vercel outage doesn't break inbound calls; an Inngest outage delays follow-ups but doesn't lose them.

Contact a human

Security questions are real questions. Email hello@thechattyai.com with the subject line "security" and you'll hear back from Richard. For procurement reviews and signed BAAs, the same email works. Flag the timeline and we'll work to it.