Encryption
In transit
All traffic between your browser, the embed widget, and saavos servers is encrypted in transit over modern TLS (1.2 or higher), terminated at the Vercel edge.
At rest
Your data is stored on Supabase (Postgres), which encrypts all data at rest with AES-256. Encryption is managed by the database layer — no extra configuration required on your end.
API keys
Programmatic API keys are stored as SHA-256 hashes. We never store the raw key after you copy it on creation. If lost, rotate and issue a new one.
Data isolation
Row-level security
Every table in the saavos database has Postgres Row Level Security (RLS) enabled from the first migration. Queries scoped to your session can only read and write rows where owner_id matches your account — enforced at the database layer, not just in application code.
Bot isolation
Each bot, its knowledge sources, and its conversation logs are isolated by owner_id. You cannot accidentally read another owner's data, and neither can we through normal query paths.
No model training
We do not use your knowledge sources, chat logs, or any customer-submitted content to train or fine-tune AI models. Your data is used only to answer queries on your behalf.
Authentication
Session auth
Dashboard sessions are managed by Supabase Auth using secure HttpOnly cookies. Google OAuth is supported. Passwords (if used) are stored as bcrypt hashes by Supabase — we never see plaintext credentials.
API keys
Each owner can issue one or more API keys for programmatic access. Keys are scoped per owner, revocable at any time from the dashboard, and expire on deletion — there is no grace period after revocation.
Hosting and operations
Compute
Application servers and edge functions run on Vercel, which holds SOC 2 Type II certification. Infrastructure is managed by Vercel; we do not operate bare-metal or self-managed servers.
Database
Postgres runs on Supabase, which is SOC 2 Type II certified. Your data resides in the region selected at project creation. (saavos is not currently configured for HIPAA-regulated data — please do not send PHI to your bot.)
Log retention
Application logs are retained for 30 days and then purged automatically. Conversation logs remain until you delete your bot or request deletion.
Compliance
GDPR
Data export and deletion on request. Contact founder@5minbot.com with the subject line “Data request — [your email]”. Handled within 30 days.
CCPA
California residents may request disclosure or deletion of personal data we hold. Same contact and timeline as GDPR above.
SOC 2 Type II (Q3 2026)
We are targeting a SOC 2 Type II audit in Q3 2026. This is a planned commitment, not a current certification. We will publish the report when issued.
Responsible disclosure
Report
Email security@5minbot.com with a description of the issue and steps to reproduce. Please do not post publicly before we have had a chance to respond.
Response
We acknowledge all reports within 48 hours. Verified issues are triaged immediately. We credit researchers in our changelog unless you prefer to remain anonymous.