All systems operational

Trust & Security

Your data is the foundation of your business. We protect it with enterprise-grade encryption, private AI infrastructure, and comprehensive access controls.

Encrypted at Rest & in Transit

AES-256-GCM encryption for all sensitive data at rest. TLS 1.2+ for every connection. Your platform tokens are never stored in plaintext.

Self-Hosted AI

Our proprietary Muse AI runs on private GPU infrastructure. Fan data never leaves our servers. No third-party AI providers. No data sharing.

Private Infrastructure

Dedicated servers with Docker container isolation. No shared hosting. No multi-tenant data mixing. Your data is physically separated.

Role-Based Access

Three-tier RBAC (Owner, Admin, Chatter) with per-user tab permissions. Every team member sees only what they need.

Content Safety

Message Guard blocks 120+ prohibited words. Character Guard monitors AI behavior. Human operator approves every message before sending.

GDPR & CCPA Ready

Full data subject rights support. Data deletion within 30 days of request. We do not sell personal information. DPA available on request.

Encryption & Authentication

Every layer of the platform is secured with industry-standard cryptographic protocols.

Data at Rest

AES-256-GCM

Platform tokens, OAuth credentials, API keys

Data in Transit

TLS 1.2+

All API and webhook communications

Passwords

bcrypt (10 rounds)

Salted, timing-safe comparison

OAuth Flows

PKCE + CSRF State

SHA-256 code challenge, Redis-stored state

Webhooks

HMAC-SHA256

Signature verification + 5-min replay protection

Sessions

JWT (1h access / 7d refresh)

Token versioning for instant revocation

API Protection

Multiple layers of defense protect every API endpoint.

Protection	Details	Status
Rate Limiting	4 tiers: Auth (5/15min), AI (10/min/model), Extension (30/min), General (100/min)	Active
Input Validation	Zod schema validation on all endpoints. Parameterized SQL queries (zero injection surface)	Active
Security Headers	Helmet (HSTS, X-Frame-Options, X-Content-Type-Options), Permissions-Policy, COOP, CORP	Active
CORS	Strict whitelist — only authorized domains and extensions	Active
Cache Control	No-store, no-cache on all API responses	Active
Audit Logging	Admin actions logged with user ID, IP address, timestamp, and action details	Active
Dependency Scanning	Automated vulnerability detection via GitHub Dependabot	Active

AI & Data Privacy

Your fan data stays under your control. Always.

AI Infrastructure

Self-Hosted (Private GPU)

No OpenAI, no Google, no Anthropic. Our Muse model runs on infrastructure we control.

Data Sharing

Zero Third-Party Access

Fan messages, profiles, and behavioral data are never sent to external AI providers.

AI Training

Opt-In Only

Your identifiable data is never used for model training without explicit written consent.

Human Oversight

Operator Approval Required

Every AI-generated message requires human review before sending. No autonomous messaging.

Sub-Processors

Provider	Purpose	Data Processed	Location
Vast.ai	GPU compute for AI model	Inference requests (no persistent storage)	Canada
Hosting provider	Application server, database	All platform data	Europe

Sub-processor list is updated as changes occur. Last reviewed: April 2026.

Legal & Compliance Documents

Privacy

GDPR + CCPA compliant. Data collection, usage, and your rights.

Terms

Usage rules, AI disclaimers, IP ownership, liability.

Content

Content Policy

Prohibited content, enforcement, TAKE IT DOWN Act compliance.

Data Processing

DPA Available on Request

GDPR Article 28 compliant. Email us to receive a copy.

Questions about security?

Our team is here to help. Reach out for security inquiries, vulnerability reports, or to request our DPA/NDA.

[email protected]