Security
Domain guards, session handling, credit controls, and data practices.
Domain guards
The chatbot widget validates the origin of each request against your approved domain list. Requests from unlisted domains are rejected before any AI call is made.
Two-Factor Authentication (2FA)
Teammates can secure their dashboard access by enabling TOTP-based two-factor authentication (compatible with Google Authenticator, Microsoft Authenticator, Authy, etc.). A secure 'Trust this device' cookie can be set to bypass 2FA prompts for 30 days on recognized browsers.
Distributed Rate Limiting
To protect your API keys and models against token-burn and credential stuffing abuse, rate limits are enforced across the platform. States are shared across all server instances using a MongoDB TTL collection, ensuring limits persist across redeploys.
- โLogin attempts: locked out after 10 failed login attempts in 15 minutes
- โWidget chats: throttled at 30 requests per minute per IP
- โFollow-up suggestions: throttled at 15 requests per minute per IP
- โGeneric guest forms (signup, contact, booking): 5 actions per minute
- โFailure-mode: Limiters automatically fail-open on DB connection failures so legitimate users are never locked out
Atomic Credit Reservation
To prevent concurrent request races from bypassing credit boundaries (TOCTOU overdraw), the streaming chat endpoint reserves 1 credit atomically on request start. If the stream fails or is aborted early, the credit is immediately refunded, ensuring billing-on-success.
Data storage
All conversation data, lead information, and crawled content is stored securely. Crawled content is vectorized and stored in Qdrant for semantic search. Lead details are stored in MongoDB.
Need more help?
Contact support and we'll get back to you within 24 hours.