Security

In this page, we will discuss various aspects of security, including compliance, encryption, privacy, and more. Our goal is to provide you with valuable information and resources to ensure the security of your data and protect your privacy. Let's dive in!

Testing

Security testing is a crucial aspect of ensuring the robustness of your systems. It involves assessing the vulnerabilities and weaknesses in your infrastructure, applications, and networks. By conducting regular security testing, we can identify and address potential security risks before they are exploited by malicious actors.

There are various types of security testing we conduct regularly, including penetration testing, vulnerability scanning, and code review. These tests help identify security loopholes, validate the effectiveness of existing security controls, and provide recommendations for strengthening your overall security posture.

Compliance

Compliance with legal and regulatory standards is fundamental to maintaining a secure and trustworthy platform. At ChatBotKit, we adhere to stringent compliance protocols to ensure that our platform aligns with international and local data protection laws. Our compliance framework encompasses various standards, including GDPR, to provide a secure environment for both users and developers.

Privacy

Privacy is a cornerstone of our security model. ChatBotKit has built-in privacy features that safeguard your data and end-user conversations from unauthorized access and use, while preserving the anonymity of end-users. Our system automatically scans incoming messages for Personally Identifiable Information (PII), transforming any found PII using anonymization techniques such as hashing and tokenization. This process generates "entities" which logically represent the PII data, ensuring that the user's privacy is maintained throughout the interaction.

Encryption

Encryption plays a vital role in protecting your data both in transit and at rest. At ChatBotKit, we employ robust encryption standards to ensure the confidentiality and integrity of your data. For data in transit, we use industry-standard protocols to secure the communication channels between our servers, your systems, and end-users. Meanwhile, for data at rest, we utilize strong encryption algorithms to protect your data stored on our servers. This dual-layer encryption approach ensures that your data remains secure, fulfilling our commitment to provide a secure and reliable platform for all users.

Monitoring

ChatBotKit employs a comprehensive monitoring system that vigilantly oversees the platform's operations, ensuring optimum performance and security. All logs generated by the platform are retained for a period of up to 90 days, providing a substantial audit trail for troubleshooting and security analysis. For real-time insights and external monitoring, ChatBotKit exposes a webhook API and an event system. Through these interfaces, users can subscribe to a wide array of events, obtaining immediate notifications and facilitating prompt responses to critical incidents.

Incident Response

Our incident response protocol is meticulously designed to manage and mitigate security incidents effectively. Upon detection of an anomaly or a security incident, our dedicated incident response team is mobilized to investigate, contain, and remedy the situation. Communication channels are established with affected stakeholders, providing them with timely updates and guidance. Post-incident reviews are conducted to analyze the root causes, assess the impact, and formulate lessons learned to prevent recurrence and enhance our security posture.

Authentication and Authorization

Authentication and authorization are pivotal in maintaining a secure environment on ChatBotKit. Users are authenticated using session cookies, ensuring a secure and user-friendly authentication experience. On the other hand, API interactions are authenticated using tokens, providing a robust and secure mechanism for automated interactions. Sessions can be revoked at any moment, offering users and administrators granular control over active sessions. Our strict session control measures further bolster the security, preventing unauthorized access and ensuring only entitled users can access the necessary resources.

Access Model

ChatBotKit operates on a sophisticated app-based access model that provides granular security controls while maintaining simplicity for end users. This model ensures that users can only perform actions that are explicitly permitted by the applications they access, creating clear security boundaries and preventing unauthorized operations.

Dashboard Access and Admin Privileges

The ChatBotKit dashboard serves as the primary administrative interface and operates under a comprehensive access model. Users with dashboard access are automatically granted administrator privileges, which provide full access to all platform tools, resources, and functionality. This elevated access level enables administrators to:

• Create, modify, and delete all types of resources (bots, datasets, conversations, integrations)
• Configure platform settings and security parameters
• Manage user accounts and access permissions
• Access comprehensive analytics and monitoring tools
• Deploy and configure portals for other users

Dashboard administrators have unrestricted access to the complete ChatBotKit platform ecosystem, making them responsible for managing the security and configuration of their organization's AI infrastructure.

Portals: Packaged Applications with Limited Scope

Portals represent a key component of ChatBotKit's access model, serving as packaged applications that provide controlled access to specific platform capabilities. Unlike the full dashboard experience, portals are designed with intentionally limited feature sets that focus on particular use cases and user roles.

Portal Characteristics:

• Curated Functionality: Each portal exposes only specific applications (Chat, Inbox, Usage) based on configuration
• Custom Branding: Portals can be white-labeled with custom domains, logos, and styling
• User-Specific Access: Portal access is granted to explicitly defined users or user groups
• Feature Restrictions: Portals provide access to a subset of platform capabilities, not the full administrative interface

Portal Security Model:

Portals implement a strict security perimeter that prevents users from accessing functionality beyond what is explicitly configured. This ensures that portal users cannot accidentally or intentionally access administrative functions, other users' data, or platform areas outside their designated scope.

App-Level Permission Enforcement

The foundation of ChatBotKit's security model lies in app-level permission enforcement, where user capabilities are strictly defined by the applications they can access. This granular approach ensures that security boundaries are maintained at the application level rather than relying solely on user roles.

Permission Principles:

• Explicit Permissions Only: Users can perform only actions that their assigned applications explicitly permit
• No Implicit Access: There are no hidden or inherited permissions beyond what applications define
• Scope Limitation: Each application defines its own operational boundaries and resource access patterns
• Action Validation: Every user action is validated against the permissions defined by their accessible applications

Security Boundary Enforcement:

The platform enforces security boundaries through multiple layers:

• Application-Scoped Tokens: API access tokens are restricted to specific application contexts and routes
• Resource Isolation: Users can only access resources that their applications are configured to handle
• Route Validation: HTTP requests are validated against allowed routes for each application type
• Session Management: User sessions are scoped to their permitted applications and cannot access unauthorized areas

Practical Implementation:

When a user attempts to perform an action, the system validates:

1. Application Permissions: Whether the user's accessible applications permit the requested action
2. Resource Ownership: Whether the user has appropriate access to the specific resources involved
3. Route Authorization: Whether the requested operation is within the allowed routes for the user's applications
4. Token Scope: Whether the authentication token grants access to the requested functionality

This multi-layered approach ensures that users operate within clearly defined security boundaries, with access limited to exactly what their designated applications permit and nothing beyond that scope.

Data Residency and Sovereignty

ChatBotKit operates on a global edge network, designed to host data and utilize models from multiple regions, adhering to regional data residency and sovereignty requirements. This design allows for lower latency, improved performance, and compliance with local data protection laws. Users can have confidence that their data is handled in accordance with the legal and regulatory frameworks pertaining to their specific region.

Data Retention and Deletion

Data retention on ChatBotKit is governed by a well-defined policy that aligns with legal and business requirements. Data is retained only for as long as it is necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Upon expiration of the retention period or upon user request, data is securely deleted. Our deletion processes are thorough, ensuring that once deleted, data is irretrievable.

Continuous Improvement

At ChatBotKit, we value the principle of continuous improvement to enhance the service quality and user experience. However, we uphold a strict policy regarding the use of customer data for these improvement processes. No customer data is utilized for continuous improvements without explicit consent from the users. This consent-based approach ensures transparency and builds trust between ChatBotKit and its user community, underlining our commitment to user privacy and data protection.