Security

Security and data protection are built into TideReply from the ground up. This page summarizes the technical and organizational measures we use to protect your data and your visitors' conversations. For data-flow and provider details, see our Privacy Policy and Subprocessors page.

Hosting & encryption

TideReply runs on Supabase (PostgreSQL) and Vercel. Your primary data is stored in the European Union (Frankfurt). Data is encrypted in transit (TLS) and at rest.

Tenant isolation

Every customer's data is strictly isolated. All database tables enforce row-level security (RLS), and every query — including AI knowledge retrieval (vector search) — is scoped to your business at both the application and database layers. There is no cross-tenant data access path: your knowledge and conversations are never accessible to other businesses on the platform.

Authentication & access control

Accounts are protected by Supabase Auth, and administrative actions are gated by server-side role checks. Visitor chat sessions are bound by signed (HMAC) session tokens, and realtime conversation channels are private and scoped to a single conversation, so visitors cannot read or inject messages into other conversations.

Abuse & availability protection

Public endpoints are protected by layered rate limiting (per IP address, per session, and per business), automated bot detection on the chat endpoint, widget-origin validation, and per-plan usage ceilings. We also maintain an instant kill switch to disable chat globally or for a single tenant without a deployment.

Application security

All database access uses parameterized queries, so there is no SQL-injection surface. Our website crawler uses a DNS-rebinding-safe guard that rejects requests to internal or non-public addresses and re-validates on every redirect hop, preventing server-side request forgery. User-supplied content is escaped and sanitized to prevent cross-site scripting, a Content Security Policy is enforced, and service credentials are never exposed to client-side code.

AI & data processing

Your knowledge content and conversations are used only to power your own chatbot. They are processed by our AI providers (Anthropic and OpenAI) under API terms that do not use your data to train their general-purpose models, and they are never shared across tenants. Our full list of providers and their roles is on the Subprocessors page.

Monitoring

We run error monitoring and alerting across the application and our scheduled jobs so we can detect and respond to issues quickly.

Data retention & your control

You can delete individual conversations or your entire account at any time from your dashboard. When you delete your account, associated data is permanently removed within 30 days. See our Privacy Policy for full retention details.

Reporting a vulnerability

If you believe you have found a security issue, please email support@tidereply.com. We appreciate responsible disclosure and will respond promptly.