सामग्री पर जाएं
कानूनी

सुरक्षा

अंतिम अपडेट: 3 जुलाई 2026

EnvoyOne handles live customer conversations, so security is designed into the platform's architecture rather than bolted on. This page describes the controls that protect your workspace and your callers' data.

Tenant isolation

EnvoyOne is multi-tenant with isolation enforced in the database itself: every tenant-scoped table carries Postgres row-level security policies, enforced with FORCE ROW LEVEL SECURITY, and the application executes as a non-privileged database role that cannot bypass them. A query without your tenant's context cannot read your rows — isolation does not depend on application code remembering to filter.

Encryption

Data in transit is encrypted with TLS. At rest, high-sensitivity data — workspace provider API keys (your bring-your-own OpenAI key) and call recordings — is envelope-encrypted with a master key that is supplied to the runtime from the deployment's secret manager and never stored alongside the data. Storing a tenant secret without the encryption key configured fails closed rather than falling back to plaintext.

Access control and authentication

Dashboard access requires an authenticated session (email and password with two-factor authentication available), and every workspace member acts under a role — owner, admin, or agent — that scopes what they can see and change. Session cookies are the only browser state used for authentication; there are no long-lived tokens in the browser.

Provider keys

Bring-your-own AI provider keys are write-only from the dashboard: they are encrypted on save, surfaced only as a masked fingerprint afterwards, redacted from logs, and used exclusively to serve your own workspace's calls.

Infrastructure

Services run as containers with unprivileged (non-root) users, secrets arrive via the environment or secret manager rather than being baked into images, and the database login used by the application holds least-privilege rights. The control plane refuses to boot in live mode with known-insecure defaults (for example a missing or default auth secret).

On-prem connector

For systems that must stay inside your network, the on-prem connector establishes a mutually-authenticated TLS (mTLS) channel using per-connector certificates issued by the platform CA, so private integrations never require exposing your systems to the public internet.

Observability and auditability

The platform emits structured logs with secret redaction and distributed traces via OpenTelemetry, giving operators an audit trail of system behavior without leaking sensitive values into log storage.

Data deletion

Workspace administrators can delete recordings, transcripts, knowledge documents, and provider keys from the dashboard. Deleting an organization removes its tenant data from production systems, with backup copies expiring on a fixed schedule — see the Privacy Policy for retention details.

Responsible disclosure

If you believe you have found a vulnerability, email hello@envoyone.ai with the subject "Security" and enough detail to reproduce the issue. Please give us a reasonable window to remediate before public disclosure and avoid accessing other tenants' data while testing. We do not pursue good-faith research conducted under these rules, and we credit reporters who want it.

Questions

Security questionnaires, compliance questions, or anything this page does not answer: email hello@envoyone.ai.