Built for trust.

All traffic between your browser, the embed widget, and saavos servers travels over TLS 1.3. Older protocol versions are rejected at the Vercel edge.

Your data is stored on Supabase (Postgres), which encrypts all data at rest with AES-256. Encryption is managed by the database layer — no extra configuration required on your end.

Programmatic API keys are stored as SHA-256 hashes. We never store the raw key after you copy it on creation. If lost, rotate and issue a new one.

Every table in the saavos database has Postgres Row Level Security (RLS) enabled from the first migration. Queries scoped to your session can only read and write rows where owner_id matches your account — enforced at the database layer, not just in application code.

Each bot, its knowledge sources, and its conversation logs are isolated by owner_id. You cannot accidentally read another owner's data, and neither can we through normal query paths.

We do not use your knowledge sources, chat logs, or any customer-submitted content to train or fine-tune AI models. Your data is used only to answer queries on your behalf.

Dashboard sessions are managed by Supabase Auth using secure HttpOnly cookies. Google OAuth is supported. Passwords (if used) are stored as bcrypt hashes by Supabase — we never see plaintext credentials.

Each owner can issue one or more API keys for programmatic access. Keys are scoped per owner, revocable at any time from the dashboard, and expire on deletion — there is no grace period after revocation.

Application servers and edge functions run on Vercel, which holds SOC 2 Type II certification. Infrastructure is managed by Vercel; we do not operate bare-metal or self-managed servers.

Postgres runs on Supabase, which is SOC 2 Type II certified and offers HIPAA-eligible plans. Your data resides in the region selected at project creation.

Application logs are retained for 30 days and then purged automatically. Conversation logs remain until you delete your bot or request deletion.

Data export and deletion on request. Contact founder@5minbot.com with the subject line “Data request — [your email]”. Handled within 30 days.

California residents may request disclosure or deletion of personal data we hold. Same contact and timeline as GDPR above.

We are targeting a SOC 2 Type II audit in Q3 2026. This is a planned commitment, not a current certification. We will publish the report when issued.

Email security@5minbot.com with a description of the issue and steps to reproduce. Please do not post publicly before we have had a chance to respond.

We acknowledge all reports within 48 hours. Verified issues are triaged immediately. We credit researchers in our changelog unless you prefer to remain anonymous.