Home Security & Privacy Security & Compliance.

Security & Compliance.

Last updated on Mar 05, 2026

1) Security overview
Thunaivi secures customer support operations with access control, encrypted transport, key protection, audit logs, and controlled AI-to-human escalation.

2) Identity and access control

  • Role-based access (admin, manager, agent)

  • Least-privilege by default

  • Admin access restricted to office email accounts

  • Immediate session revocation on suspicious activity

3) Authentication hardening

  • Strong password policy

  • 2FA enabled for admins

  • Public wp-admin and wp-login blocked

  • Secret login route for authorized admins only

4) API key security

  • API keys are server-side only

  • Never expose key in frontend JS/mobile apps

  • Store secret in env/secret manager

  • Hash and rotate keys regularly

  • Revoke leaked keys immediately

5) Data protection

  • HTTPS/TLS for all external traffic

  • Minimize sensitive data in logs

  • Redact secrets/tokens in diagnostics

  • Controlled retention/deletion workflow for customer data

6) Audit and monitoring
Track and review:

  • Login attempts and admin actions

  • User role changes

  • API key create/revoke/usage

  • Channel connect/disconnect events

  • Payment and billing state transitions

7) Incident response process

  1. Detect suspicious event

  2. Revoke sessions + rotate credentials

  3. Isolate affected access path

  4. Validate integrity (users/plugins/files/logs)

  5. Restore secure baseline

  6. Document root cause and preventive controls

8) Compliance-ready documentation
Maintain clear docs for:

  • Privacy policy

  • Terms of service

  • Cookie policy

  • Data processing and retention policy

  • Security contact and escalation SLA

9) AI safety and compliance

  • Define restricted intents (legal, security, disputes)

  • Force human handoff for high-risk requests

  • Keep policy-based answer guardrails

  • Validate AI output quality regularly

10) Security checklist (monthly)

  • Rotate sensitive credentials

  • Review admin users and roles

  • Review failed logins and anomalies

  • Verify backup and restore path

  • Test incident response playbook

  • Confirm plugin/theme updates

11) Customer-facing trust FAQ (recommended)

  • How is data protected?

  • Who can access conversations?

  • How are API keys managed?

  • What happens during a security incident?

  • How can customers request data deletion?

12) Escalation contacts

  • Security contact email

  • Billing escalation email

  • Technical incident contact path

  • Expected response times by severity