Security at Contexo
Last updated: May 3, 2026
We treat the security of your account, your documents, and your visitors' conversations as a first-class concern. This page describes the technical and organizational measures we use. It is a snapshot, not a contract; for binding commitments see your agreement with us.
1. Infrastructure
- Application data is stored in PostgreSQL (managed by Supabase) with Row-Level Security enforced on every multi-tenant table. Tenant isolation is database-level, not just application-level.
- Service-role credentials are restricted to the backend; the dashboard never receives them.
- Backups are managed by Supabase per their published policy.
2. Encryption
- In transit: TLS 1.2 or higher for all dashboard, API, and webhook traffic.
- At rest: Database, object storage, and embedding indexes are encrypted by our cloud subprocessors using AES-256 or stronger.
3. Authentication and access
- Customer authentication is handled by Supabase Auth (email/password and Google OAuth). Passwords are never stored by Contexo.
- Dashboard requests are authenticated with short-lived JWTs. Server-side middleware verifies the token on every request before attaching the user's plan and quota context.
- Internal staff access to production systems is granted on a least-privilege basis.
4. Tenant isolation and quota safety
- Per-user resource limits (widgets, monthly messages, storage) are enforced atomically through dedicated PostgreSQL functions guarded by per-user advisory locks. This prevents time-of-check/time-of-use races in which two concurrent requests could exceed a quota.
- Knowledge-byte reservations for document ingestion are transactional, so partial uploads cannot inflate a tenant's storage quota.
5. Widget and visitor protections
- Each widget is locked to an allow-listed set of domains via server-side CORS checks. Embedding on an unauthorized domain fails preflight.
- Visitor IP addresses are SHA-256 hashed before storage; we never persist raw IPs.
- Each visitor session is identified by a cryptographically signed token verified on every message; tampering invalidates the session.
- Per-IP and per-widget rate-limits run before any AI work begins.
6. Payments and webhooks
- Card data and payment instruments never touch our servers; they are handled by Lemon Squeezy.
- Inbound LS webhooks are verified by HMAC-SHA256 using a shared secret; signature mismatches are rejected.
- Each checkout is bound to the originating user via a one-time, server-minted nonce. The nonce is consumed atomically by the webhook, so a forged or replayed event cannot upgrade an arbitrary account.
- Add-on credits, plan upgrades, and refunds are persisted only after webhook signature and nonce verification.
7. Application security
- Helmet security headers on every API response (HSTS, X-Content-Type, X-Frame-Options, etc.).
- Strict CORS policies separated by surface (dashboard vs. customer-website widget).
- Input validation on every endpoint; size limits on message payloads and uploaded documents.
- Dependencies are regularly audited and patched.
8. AI and data minimization
- We send to the LLM provider only what is required to answer a query (the visitor's message, the retrieved context, and your widget's system prompt).
- Our LLM and embeddings provider (currently Google Gemini) does not use customer data to train its foundation models per its enterprise terms.
- Customer documents are stored as text chunks plus vector embeddings; they are never shared with other tenants.
9. Operational security
- Production secrets are stored in environment variables managed by our hosting provider, never in source control.
- Production deploys are reviewed and traceable.
- Operational logs are retained for up to 90 days.
10. Incident response
If a security incident occurs that affects your data, we will notify affected customers without undue delay and, where applicable, the relevant regulatory authority within the timeframe required by law (typically 72 hours under GDPR). Our notice will describe what happened, what data was affected, what we did, and what you should do.
11. Reporting a vulnerability
If you believe you have found a security vulnerability, email security@contexo.ai with reproduction steps. We commit to acknowledging good-faith reports within 5 business days. Please do not test in ways that could affect other customers' data.
12. Compliance
We support customer obligations under the GDPR, the UK GDPR, the CCPA/CPRA, and the DPDP Act through this Privacy Policy, our Subprocessors list, and a Data Processing Addendum available on request from legal@contexo.ai. Contexo does not currently hold formal certifications such as SOC 2 or ISO 27001; we will update this page when that changes.
