Our Security Approach
At CompanionFrame API, security is fundamental to our service. We implement industry-standard security practices to protect your business data and your users' conversations. While we're a growing platform, we take security seriously and continuously improve our protection measures.
Security Commitment
We're committed to maintaining high security standards through:
- ✅ End-to-end encryption for all sensitive data
- ✅ Industry-standard infrastructure with enterprise-grade providers
- ✅ Regular security updates and monitoring
- ✅ Transparent incident reporting and response
- ✅ Ongoing security improvements as we grow
Data Encryption and Protection
🔒 Conversation Data Encryption
AES-256-GCM Encryption: All conversation data processed through our API is encrypted using AES-256-GCM encryption before being stored in our database. Each user has a unique encryption key, ensuring that conversations are unreadable even to our systems.
- Algorithm: AES-256-GCM (Advanced Encryption Standard)
- Key management: Unique per-user encryption keys
- Implementation: Client-side encryption before database storage
- Access: Encrypted data is accessible only to authorized API requests
🌐 Transport Layer Security
TLS 1.3 Encryption: All data transmitted to and from our API is protected using the latest TLS 1.3 encryption standard. This ensures that your API requests and responses are secure during transmission.
- Protocol: TLS 1.3 (Transport Layer Security)
- Coverage: All API endpoints and dashboard access
- Certificates: Industry-standard SSL certificates
- Forward secrecy: Session keys are not compromised if long-term keys are compromised
🔑 API Key Security
Secure API Authentication: API keys are hashed using bcrypt with salt before storage. We never store plain-text API keys and use secure key generation practices.
- Generation: Cryptographically secure random key generation
- Storage: Bcrypt hashing with salt (never plain-text)
- Format: Structured keys with client identification
- Rotation: Customers can rotate keys through their dashboard
Infrastructure Security
We partner with industry-leading providers to ensure our infrastructure meets high security standards:
🏗️ Security Infrastructure Partners
Enterprise-grade database with encryption at rest, network isolation, and access controls
Secure serverless deployment with automatic HTTPS, DDoS protection, and edge security
CDN and security services with DDoS protection, WAF, and SSL optimization
AI processing with enterprise security, data isolation, and privacy protection
Database Security
- MongoDB Atlas Security: Enterprise-grade cloud database with encryption at rest and in transit
- Network isolation: Database access restricted to authorized application servers only
- Role-based access: Minimum necessary permissions for database operations
- Automated backups: Encrypted backups with geographic distribution
Application Security
- Serverless architecture: Vercel serverless functions with automatic scaling and isolation
- Environment isolation: Separate environments for development, staging, and production
- Secret management: Environment variables for sensitive configuration
- Dependency scanning: Regular security updates for all dependencies
Access Controls and Authentication
API Access Management
- API key authentication: Secure token-based authentication for all API requests
- Rate limiting: Automatic request throttling to prevent abuse and ensure fair usage
- Request logging: Comprehensive logs of API access for security monitoring
- IP restrictions: Optional IP allowlisting for enhanced security (enterprise customers)
Dashboard Security
- Secure authentication: Password-based login with session management
- Session security: Secure session tokens with automatic expiration
- CSRF protection: Cross-site request forgery protection on all forms
- Account lockout: Protection against brute force attacks
Third-Party Security
We carefully evaluate the security practices of all third-party services we integrate with:
OpenAI Integration Security
- Data processing: Conversations processed temporarily for AI response generation only
- No model training: Your data is not used to train OpenAI's models
- Transit encryption: All data sent to OpenAI is encrypted using HTTPS/TLS
- Data retention: OpenAI does not retain conversation data beyond processing requirements
Payment Security
- Stripe integration: PCI DSS compliant payment processing
- No card storage: We never store customer payment card information
- Secure tokens: Payment data handled through secure Stripe tokens only
- Fraud protection: Built-in fraud detection and prevention
Security Monitoring and Logging
What We Monitor
- API access patterns: Unusual request patterns or potential abuse attempts
- Authentication events: Login attempts, failed authentication, suspicious activity
- System health: Server performance, error rates, and availability metrics
- Security events: Potential security incidents and anomalous behavior
Logging and Retention
- Security logs: Comprehensive logging of security-relevant events
- Access logs: API requests and dashboard access for security analysis
- Retention period: Security logs retained for 2 years for incident investigation
- Log protection: Logs are encrypted and access-controlled
Monitoring Scope
Important: As a growing platform, our security monitoring is implemented using industry-standard tools and practices. We continuously improve our monitoring capabilities and will enhance our security operations as we scale.
Incident Response
Security Incident Process
- Detection: Security incidents detected through monitoring or customer reports
- Assessment: Rapid evaluation of incident scope and potential impact
- Containment: Immediate steps to contain and mitigate the incident
- Investigation: Thorough investigation to understand root cause and impact
- Communication: Transparent communication with affected customers
- Resolution: Implementation of fixes and preventive measures
- Follow-up: Post-incident review and security improvements
Customer Notification
- Incident reporting: We will notify customers of security incidents that may affect their data
- Timeline: Notification typically within 72 hours of incident discovery
- Communication channels: Email notifications and status page updates
- Transparency: Clear information about what happened and what we're doing about it
Data Security Best Practices
Customer Responsibilities
While we provide strong security measures, we recommend customers also follow security best practices:
- API key security: Store API keys securely and never expose them in client-side code
- Key rotation: Regularly rotate API keys and remove unused keys
- Access control: Limit API key access to necessary team members only
- Environment separation: Use different API keys for development, testing, and production
- Monitoring: Monitor your API usage for unusual patterns or unauthorized access
Integration Security
- HTTPS only: Always use HTTPS when making API requests
- Input validation: Validate and sanitize all user inputs before sending to our API
- Error handling: Implement proper error handling to avoid exposing sensitive information
- Rate limiting: Respect rate limits and implement proper retry logic
Vulnerability Management
Security Updates
- Dependency management: Regular updates of all software dependencies
- Security patches: Prompt application of security patches and fixes
- Vulnerability scanning: Regular scanning for known security vulnerabilities
- Code review: Security-focused code review for all changes
Responsible Disclosure
If you discover a security vulnerability in our service, please report it responsibly:
🔍 Security Vulnerability Reporting
- Email: security@companionframe-api.com
- Response time: We aim to acknowledge reports within 72 hours
- Investigation: We'll investigate and provide updates on our progress
- Resolution: We'll work to resolve valid vulnerabilities promptly
- Credit: We're happy to credit responsible researchers (with permission)
Please: Give us reasonable time to fix issues before public disclosure
Security Roadmap
As CompanionFrame API grows, we're committed to continuously improving our security posture:
Planned Security Enhancements
- Enhanced monitoring: Expanded security monitoring and alerting capabilities
- Security assessments: Regular third-party security assessments as we scale
- Advanced features: Additional security features for enterprise customers
- Compliance frameworks: Working toward industry compliance standards
- Security automation: Automated security testing and deployment practices
Security Questions and Concerns
For security-related questions, vulnerability reports, or concerns about our security practices:
Security Contact
- Security Team: security@companionframe-api.com
- General Support: support@companionframe-api.com
Enterprise Security
- Custom security requirements: Available for enterprise customers
- Security documentation: Detailed security information for compliance reviews
- Dedicated support: Priority security support for large customers
CompanionFrame Limited
Registered in England and Wales
United Kingdom
Security response commitment: We respond to security inquiries within 72 hours and prioritize security issues appropriately.