Back to Home

Security

Enterprise-grade security built into every deployment

Security is not an afterthought—it's built into our architecture from the ground up.

ConvoAI follows industry best practices and compliance frameworks to protect your data.

Security Overview

When you deploy ConvoAI to your AWS account, you maintain full control over your security posture. Our architecture is designed to align with industry standards including NIST Cybersecurity Framework and SOC 2 requirements.

Encryption

TLS 1.3 in transit, AES-256 at rest

Infrastructure

Deployed to your AWS account

Monitoring

CloudWatch logging and alerts

Infrastructure Security

Your AWS Account: ConvoAI deploys entirely within your AWS infrastructure, giving you complete control over:

  • Network configuration and VPC settings
  • Security groups and firewall rules
  • IAM roles and access policies
  • Encryption keys (AWS KMS)
  • Backup and disaster recovery

AWS Security Features:

  • Private subnets for sensitive components
  • Application Load Balancer with WAF
  • RDS with automated backups and encryption
  • S3 with server-side encryption
  • CloudWatch for logging and monitoring

Application Security

Encryption

  • Data in Transit: TLS 1.3 for all communications
  • Data at Rest: AES-256 encryption for databases and file storage
  • Password Hashing: Bcrypt with salt for user passwords

Authentication & Authorization

  • JWT-based authentication with secure token management
  • Role-Based Access Control (RBAC) for granular permissions
  • Session management with secure cookies
  • Password complexity requirements
  • Account lockout after failed login attempts

OWASP Top 10 Protection

Our code is designed to protect against the OWASP Top 10 vulnerabilities:

✓ Injection Prevention

Parameterized queries, input validation

✓ Broken Authentication

Secure session management, MFA ready

✓ Sensitive Data Exposure

Encryption, secure storage practices

✓ XML External Entities (XXE)

Disabled XML external entity processing

✓ Broken Access Control

RBAC, principle of least privilege

✓ Security Misconfiguration

Secure defaults, hardened configuration

✓ Cross-Site Scripting (XSS)

Input sanitization, CSP headers

✓ Insecure Deserialization

Safe serialization practices

✓ Using Components with Known Vulnerabilities

Regular dependency updates

✓ Insufficient Logging & Monitoring

Comprehensive audit logs

Compliance Frameworks

ConvoAI's architecture is designed to align with major compliance frameworks:

NIST Cybersecurity Framework

Our architecture aligns with the five core functions:

  • • Identify: Asset management, risk assessment
  • • Protect: Access control, data security, secure development
  • • Detect: Monitoring, logging, anomaly detection
  • • Respond: Incident response procedures
  • • Recover: Backup and recovery capabilities

SOC 2 Ready Architecture

Designed with SOC 2 Trust Service Criteria in mind:

  • • Security: Access controls, encryption, monitoring
  • • Availability: Redundancy, backups, disaster recovery
  • • Processing Integrity: Data validation, error handling
  • • Confidentiality: Encryption, access controls
  • • Privacy: GDPR-aligned data protection

* SOC 2 certification is the responsibility of the deploying organization

GDPR Compliance

Built-in features to support GDPR requirements:

  • • Data minimization and purpose limitation
  • • User consent management
  • • Right to access, rectification, and erasure
  • • Data portability support
  • • Audit logging for accountability

Incident Response

In the event of a security incident:

  • Detection: CloudWatch alerts and monitoring
  • Containment: Automated and manual response procedures
  • Investigation: Comprehensive audit logs for forensics
  • Remediation: Patch deployment and system hardening
  • Notification: GDPR-compliant breach notification (72 hours)

Audit Logging

Comprehensive logging for security and compliance:

  • User authentication and authorization events
  • Data access and modifications
  • Administrative actions
  • System errors and anomalies
  • API requests and responses

Logs are stored securely in CloudWatch with configurable retention periods.

Security Best Practices

We recommend the following security practices for your deployment:

  • Enable MFA for all administrative accounts
  • Regularly rotate credentials and API keys
  • Keep dependencies updated with security patches
  • Conduct regular security audits and penetration testing
  • Implement least privilege access policies
  • Monitor CloudWatch logs for suspicious activity
  • Maintain regular backups and test recovery procedures

Security Contact

If you discover a security vulnerability, please report it responsibly:

Email: security@convoai.com

PGP Key: Available upon request

We take all security reports seriously and will respond within 48 hours.

Related Resources

Privacy PolicyGDPR ComplianceTerms and Conditions