Security & Privacy

Security & Compliance.

1) Security overview Thunaivi secures customer support operations with access control, encrypted transport, key protection, audit logs, and controlled AI-to-human escalation. 2) Identity and access control - Role-based access (admin, manager, agent) - Least-privilege by default - Admin access restricted to office email accounts - Immediate session revocation on suspicious activity 3) Authentication hardening - Strong password policy - 2FA enabled for admins - Public wp-admin and wp-login blocked - Secret login route for authorized admins only 4) API key security - API keys are server-side only - Never expose key in frontend JS/mobile apps - Store secret in env/secret manager - Hash and rotate keys regularly - Revoke leaked keys immediately 5) Data protection - HTTPS/TLS for all external traffic - Minimize sensitive data in logs - Redact secrets/tokens in diagnostics - Controlled retention/deletion workflow for customer data 6) Audit and monitoring Track and review: - Login attempts and admin actions - User role changes - API key create/revoke/usage - Channel connect/disconnect events - Payment and billing state transitions 7) Incident response process 1. Detect suspicious event 2. Revoke sessions + rotate credentials 3. Isolate affected access path 4. Validate integrity (users/plugins/files/logs) 5. Restore secure baseline 6. Document root cause and preventive controls 8) Compliance-ready documentation Maintain clear docs for: - Privacy policy - Terms of service - Cookie policy - Data processing and retention policy - Security contact and escalation SLA 9) AI safety and compliance - Define restricted intents (legal, security, disputes) - Force human handoff for high-risk requests - Keep policy-based answer guardrails - Validate AI output quality regularly 10) Security checklist (monthly) - Rotate sensitive credentials - Review admin users and roles - Review failed logins and anomalies - Verify backup and restore path - Test incident response playbook - Confirm plugin/theme updates 11) Customer-facing trust FAQ (recommended) - How is data protected? - Who can access conversations? - How are API keys managed? - What happens during a security incident? - How can customers request data deletion? 12) Escalation contacts - Security contact email - Billing escalation email - Technical incident contact path - Expected response times by severity