Conversation data is sensitive.
We treat it that way.

Every customer is an organization. Every visitor-facing table — conversations, messages, leads, analytics events, visitor profiles, conversions, offer events — is scoped by org_id with row-level security (RLS)enforced by Postgres itself, not by application code. A bug in our routes can’t cross-tenant.

The widget never reads or writes the database directly. It always goes through server-side API routes that use the service-role key after validating org_id + conversation_id + visitor_id server-side.

Each organization can define allowed_origins — the exact domains that may load Acumen’s widget or call its APIs. The check is enforced on the widget loader, every chat API route, and the conversion webhook. Disallowed origins receive a 403.

Inbound webhooks (CRM → Acumen, server-to-server conversion attribution) are HMAC-SHA-256 signed using a per-organization secret. Signatures are compared in constant time to prevent timing-side-channel attacks.

Public/browser conversion attribution is restricted: it requires bothvisitorId and conversationId to match the same conversation, and rejects any non-zero conversion value without a signed request.

Sliding-window rate limits backed by Upstash Redis: 30/min per (org, visitor) on chat, 60/min per IP on conversion webhooks, 10/min on knowledge ingestion, and 5/min on auth routes. Hits log a system event so we can spot abuse patterns.

Admin auth via Supabase Auth (magic-link or password). Roles — owner, team_member, readonly — are enforced at both the API layer and through RLS. Cron routes are gated by CRON_SECRET and fail closed.

Passwords are never persisted by Acumen. Beta-application passwords are used only at Supabase signup time; they don’t enter our database or logs.

Encryption in transit (HTTPS / TLS 1.2+). Data at rest is encrypted by Supabase’s managed Postgres on AWS. CRM credentials are stored encrypted in crm_configurations; they are never exposed to the client.

We retain conversation data for the lifetime of the customer account. On request, we delete a customer’s data within 30 days. Visitor PII (email, phone, name) is captured only when the visitor explicitly provides it.

Conversation generation runs on Anthropic Claude; embeddings use OpenAI. Both are called server-to-server with no zero-data-retention concerns for non-sensitive workloads. Customer prompts and conversation turns are not used for model training by either provider under their API terms.

SOC 2 Type 1 — preparing for an attestation engagement in our paid-launch window. GDPR / CCPA data-subject requests — handled manually today; self-serve in the admin is on the roadmap. Data residency — currently US-East; EU residency available on request.

If you find a security issue, email security@tryacumen.ai. We aim to acknowledge within 24 hours. Please don’t publicly disclose until we’ve had a chance to investigate and fix.