Skip to main content
Security

Security & data handling.

PraxTalk is in open beta — SOC 2 Type II is in progress. The architecture below is what we run today; this page updates as we add controls.

Architecture

  • Multi-tenant by design. Every row in every table carries a workspaceId. Indexes start with workspaceId. Server-side queries gate every read/write through requireOperator + hasBrandAccess before touching data.
  • Auth. Custom token auth — PBKDF2-SHA256 with 100k iterations, salt + key stored as a self-describing string. Session tokens are 32 random bytes hex-encoded; we store SHA-256 of the token, never the raw value.
  • API keys. Workspace-scoped or brand-scoped. Stored as SHA-256 hash; raw value shown to the operator once at mint time and never again. Revocation is immediate.
  • Webhooks. Every outbound POST signed with HMAC-SHA256 over <timestamp>.<rawBody> (Stripe-style). Replay-protection + signature timestamping are baked in.
  • Email integration. ESP API keys stored encrypted at rest by the underlying datastore; never round-tripped to the browser after save.

Compliance

  • GDPR-ready. Visitors can request deletion; workspace data exports are available via the REST API.
  • SOC 2 Type II — in progress. Targeting v1.0 launch.
  • Data residency. Currently single-region (US-East). EU-resident-only deployments available on enterprise plans at v1.0.

Vulnerability disclosure

Find a security issue? Email security@praxtalk.com. We acknowledge within 24 hours and aim to ship a fix within 7 days for high-severity issues. We don't run a paid bug bounty during the beta; full disclosure credit is given once the fix lands.

Sub-processors

Vendors that process customer data on our behalf. Same list as the DPA, kept here as the human-readable canonical source.

We notify workspace owners 30 days before adding or replacing any sub-processor; you can object via privacy@praxtalk.com. See the DPA for the contractual obligations that bind each one.

  • Convex (USA) — primary database + real-time backend.
  • Vercel (USA) — application hosting, Edge runtime, and CDN.
  • Anthropic (USA) — Atlas AI inference (Claude). Zero data retention; not opted in to model training.
  • Postmark / SendGrid / Resend (USA / EU) — transactional + workspace email delivery. Customer picks one per workspace.
  • Twilio / CallHippo / TeleCMI (USA / India) — voice + SMS, when enabled.
  • Meta WhatsApp Business Cloud API (Ireland) — WhatsApp channel, when enabled.
  • Upstash (USA) — Redis-backed rate limiting + ephemeral counters.
  • Cloudflare (USA) — Turnstile CAPTCHA + edge DDoS protection.
  • PayPal / Razorpay (USA / India) — subscription billing; we never see your card details.

Privacy

We collect what's necessary to run a chat platform: visitor identifier, optional name/email/phone (only when the visitor submits the pre-chat form), conversation contents, and approximate IP-derived location. We don't sell, share, or use customer data for advertising, model-training, or any secondary purpose.

For data deletion or export requests, email privacy@praxtalk.com. Workspace owners can self-serve a complete JSON export from /app/settings at any time.