Resources

Security at SpycAI

Your data and your customers' data is our responsibility. Here is exactly how we protect it.

🔒TLS 1.3 + AES-256
🇮🇳India data residency
🏗️Tenant isolation (RLS)
📋DPDP Act 2023 compliant
🔍Immutable audit logs
Encryption
  • TLS 1.3 for all data in transit — no exceptions
  • AES-256 encryption for all data at rest
  • Database-level encryption on PostgreSQL
  • Encrypted backups stored in the same India region
  • End-to-end encrypted voice call recordings
Infrastructure
  • All India customer data on DigitalOcean Bangalore (BLR1)
  • PostgreSQL Row-Level Security for strict tenant isolation
  • Redis cache with authentication and TLS
  • AWS Lambda functions with least-privilege IAM roles
  • No cross-tenant data access — architecturally enforced
  • Automated daily backups with 30-day retention
Access Control
  • Multi-factor authentication (MFA) required for all admin access
  • Role-based access control (RBAC) within customer workspaces
  • Session tokens with short expiry and automatic rotation
  • All admin actions logged in immutable audit trail
  • Zero standing access — engineers use just-in-time access
  • Separate production and development environments
Application Security
  • OWASP Top 10 mitigations applied across all endpoints
  • CSRF protection on all state-changing requests
  • SQL injection prevention via parameterised queries (SQLAlchemy ORM)
  • Rate limiting on all public-facing APIs
  • Input validation and output sanitisation throughout
  • Dependency vulnerability scanning on every deployment
  • Automatic PII redaction on voice call transcripts
Monitoring & Response
  • 24/7 infrastructure monitoring with automated alerting
  • Anomaly detection for unusual access patterns
  • Sentry error tracking with PII scrubbing enabled
  • Security incident response plan with defined SLAs
  • Data breach notification within 72 hours as required by law
  • Regular internal security reviews and threat modelling
Compliance
  • DPDP Act 2023 (India) — data processing compliance
  • IT Act 2000 — information security obligations
  • TRAI regulations — voice and messaging compliance
  • Meta WhatsApp Business Policy — messaging standards
  • PCI-DSS via Razorpay and Stripe (we never store card data)
  • SOC 2-aligned internal controls (audit in progress)

Security FAQ

Does SpycAI train AI models on my customer data?

No. We never use your conversation data, knowledge base content, or customer interactions to train our AI models without your explicit written consent. Our AI agents use your data only to answer queries in real time.

Where is my data stored?

All data for Indian customers is stored exclusively on DigitalOcean servers in the Bangalore (BLR1) region. No data leaves India without your explicit consent. International customers' data is stored in the nearest DigitalOcean region to their location.

Can SpycAI employees access my conversation data?

Access to customer data is strictly controlled. Engineers use just-in-time access with MFA, and all access is logged in an immutable audit trail. We access customer data only when required to resolve a support issue, and only with your knowledge.

How are voice call transcripts handled?

Voice call transcripts are encrypted at rest using AES-256. Our system automatically redacts PII (names, phone numbers, financial details) before long-term storage. You can configure retention periods and delete transcripts at any time from your dashboard.

What happens to my data if I cancel?

Your data remains available for export for 30 days after cancellation. After 30 days, all data is permanently and irreversibly deleted from our servers and backups. We can provide a deletion certificate on request.

Do you have a bug bounty programme?

We do not currently run a formal bug bounty programme, but we take all responsible disclosures seriously and will acknowledge and reward significant findings at our discretion. Please see our responsible disclosure policy below.

Responsible Disclosure

If you discover a security vulnerability in the SpycAI platform, we ask that you report it to us privately before disclosing it publicly. We commit to:

  • Acknowledge your report within 48 hours
  • Provide a timeline for investigation and remediation within 7 days
  • Keep you informed of our progress
  • Credit you in our security acknowledgements (if you wish)
  • Not pursue legal action against good-faith researchers
📧 Report vulnerabilities to: security@SpycAI.com

Please do not test against production systems or access customer data during your research.

Have a security question?

Our team is happy to answer detailed security questions for enterprise and Pro plan customers.

Contact Us Privacy Policy