Security at Replyful

Replyful handles your customers' conversations — names, email addresses, and message content. This page explains how we protect that data, in plain language. For the contractual version, see our Data Processing Agreement.

Encryption

All traffic to Replyful is encrypted in transit using TLS. Customer data at rest is stored in an encrypted database. Sensitive credentials are additionally encrypted at the application layer with AES-256 before they reach the database.

Tenant isolation

Your data is yours. Every Replyful organization is logically isolated from every other — one customer's account cannot reach another customer's data.

Access management

Sign-in is handled by WorkOS (SOC 2 and ISO 27001 certified). Inside your organization you set role-based permissions per user: who can read conversations, who can reply, who can manage settings, who can manage the knowledge base.

Personnel and internal access

Our entire operations team — administrators, engineers, and support — works from the EU/EEA. Customer data is not accessed from outside the EEA.

Employees receive only the access their role needs — nothing more — and access is revoked when no longer required. Multi-factor authentication is required on every account. Operator laptops use full-disk encryption, so data on a lost or stolen device is unreadable.

Secure development

Tenant isolation is verified by an automated test suite that runs on every code change — cross-organization data access is treated as a P0 bug. Dependencies are kept up to date by an automated dependency-update bot, and security advisories for our stack are monitored and patched.

Logging and monitoring

We collect structured application logs and error reports to operate the service and respond to incidents. The content of customer messages is not included in those logs in normal operations, and access to logs is limited to the engineers who run the service. Error reports are stored by our monitoring provider (Sentry, hosted in the EU) for 30 days and then deleted.

Incident response

Errors and abnormal behavior are surfaced to our engineering team through Sentry alerts. If we identify a confirmed personal-data breach, we notify affected customers without undue delay and no later than 72 hours after we become aware of it (see the DPA, Section 9). The notification includes the nature of the breach, the data subjects affected, the likely impact, and the steps we are taking.

AI processing

Replyful uses large-language-model APIs to generate replies, classify messages, and search your knowledge base. Production traffic is routed to Google Vertex AI and AWS Bedrock, both in EU regions.

Per Google Cloud Service Terms, Section 18, Google does not use customer prompts, completions, or embeddings to train Google's foundation models, and Google runs only automated abuse-monitoring classifiers on inputs and outputs (no human review). AWS commits the same for Bedrock: inputs and outputs are never shared with model providers or used to train base models (see Bedrock security and privacy). No Replyful customer data is shared with third-party model providers.

Backups

We take encrypted daily backups of the production database, retained for 7 days, and encrypted weekly backups retained for 30 days. All backups stay inside the EU. After the retention window expires, deleted data cannot be recovered from backups.

Data residency and subprocessors

All long-term storage of customer data — primary database, file attachments, application logs, error reports (Sentry, EU), and backups — is in the EU (Frankfurt and Amsterdam). Our entire operations team and administrator access is in the EU/EEA.

Inbound HTTP traffic to several subdomains is routed through Cloudflare's global edge for TLS termination and DDoS protection before reaching our EU origin; nothing is stored at the edge.

A small number of subprocessors are based in the US — most notably WorkOS (authentication) and Stripe (billing) — and those transfers are covered by EU Standard Contractual Clauses. WorkOS and Stripe only see the narrow data required to run authentication and billing; they do not handle conversation content. The full subprocessor list and the data each one receives is in the DPA, Section 6.

Data deletion

You can configure a retention period per channel — when the period expires, the personal data in those conversations is permanently and irreversibly removed. When your organization is removed we delete all org data within 30 days, except where law requires us to keep it (for example, invoices under Swedish accounting law). Deleted data ages out of all backups within a further 30 days. Details in the DPA, Section 10.

Security testing and certifications

We continuously test the service with automated scanners (Detectify, OWASP ZAP, Cloudflare) and our engineering team triages findings as they appear. We do not currently hold an external SOC 2 or ISO 27001 certification — that is on our roadmap as we grow. Our authentication provider (WorkOS) is SOC 2 Type II and ISO 27001 certified, and our infrastructure providers (AWS, Google Cloud) maintain equivalent certifications.

Reporting a vulnerability

Email [email protected]. We respond within one business day. Please do not file public issues for security findings.