Your customer data, never the product.

Payment credentials sealed at rest

Customer supplied Authorize.Net keys are encrypted with AES 256 GCM under a master key from Google Secret Manager before they touch the database.

Visitor PII redaction by role

Agent role sees masked email and phone everywhere by default. OWNER and ADMIN see originals. Per agent toggle promotes individual agents. Bulk lead exports sit behind a TOTP gate.

Refresh token reuse detection

Stolen refresh tokens fail safely. The moment a revoked token is replayed, the entire session family is killed.

TOTP 2FA and recovery codes

Every agent can self enroll in RFC 6238 TOTP with single use bcrypt hashed recovery codes. Owners can force enrollment for admins on the Leads page.

ClamAV plus DLP on every upload

Magic byte sniff, image bomb dimension check, EXIF strip, antivirus scan, and PII detection in text uploads.

Threat intel on every visitor

Threat intelligence scoring runs at session creation and ticket submit. VPN, Tor, compromised servers, and high risk IPs are rejected silently. Verdicts are cached for 24h to keep cost down.

Email DKIM, SPF, and event tracking

Every customer authenticates their own sending domain. Outbound mail is DKIM signed. Delivered, opened, bounced, and spam reported events patch the message bubble in place via SendGrid Event Webhook.

Append only audit log

Workspace, role, and auth state changes are recorded with actor, IP, and user agent. The actor name survives even if the agent is later removed.

GDPR and DMCA built in

A public data deletion form scrubs visitor PII on approval. The takedown form quarantines flagged attachments through the same scanner pipeline.

IP blocklist and click fraud gateway

Per workspace IP bans hide visitors and reject widget sessions. An optional ad click gateway gates Google Ads traffic before it touches your landing page.

No third party auth dependencies

Self hosted email plus bcrypt(12) plus JWT. Your sessions live in your database. There is no Clerk, Auth0, or Google OAuth surface to compromise.

Smart relay does not leak addresses

When a visitor reply is forwarded to the assignee's mailbox, From is rewritten to a per conversation alias. The visitor never learns the agent's personal email; the agent never has to expose theirs to reply.

E signature with audit grade PDF

Every signed contract and per version sign off renders a server side PDF embedding the canvas signature image, signer name plus company plus title, IP, user agent, and timestamp. Customer and project lead both receive confirmation emails on every signing event.

Employee data, scoped and audit logged

HR fields (salary, attendance, slips) are owner and admin only by default. Cross agent mailbox impersonation is allowed for owners but every access is recorded as mail.impersonate.view in the audit log. Salary slip generation runs in workspace local time, not UTC.

Multi gateway payments with creator attribution

Multiple titled Authorize.Net gateways per workspace, each with separately encrypted credentials. Every payment proposal carries an explicit creatorAgentId so attribution to the agent who closed the deal is unambiguous on the leaderboard.