Trust & Security

Built for the team that has to answer to a security review.

Compliance certifications, encryption everywhere, regional data residency, a real GDPR right-to-be-forgotten API, and a self-hosted option for the most compliance-bound deployments. The page your procurement team will ask for.

All systems operational · 99.99% uptime over the last 90 days

Certifications & standards

SOC 2 Type II Audited annually
GDPR Compliant Default for all EU traffic
CCPA Ready California privacy rights honored
ISO 27001 Aligned controls; cert in progress
HIPAA Available Self-hosted only
Security pillars

The four guarantees you can put in writing.

Not vague reassurances. Specific commitments backed by audited controls.

Encryption everywhere

All data encrypted in transit and at rest. No clear-text customer data ever leaves a TLS connection.

  • TLS 1.2+ required for every visitor / agent / API connection
  • AES-256 at rest for chat transcripts and visitor PII
  • SHA-256 hashed API tokens, OAuth secrets, webhook signing keys
  • HMAC-signed outbound webhook payloads (sha256 hex digest)
  • Database backups encrypted with rotating keys

Regional data residency

Pick where customer data lives. EU traffic stays in EU. North American traffic stays in NA.

  • EU region — Frankfurt + Amsterdam, Free plan and up
  • NA region — Toronto + Virginia, default for new sites
  • Self-hosted — deploy in your own VPC for the most regulated workloads
  • Region pinned at site creation, swappable on request
  • No cross-region replication of customer PII without explicit consent

Access controls

Least-privilege role assignments, audit logs of every admin action, optional SSO + MFA.

  • Role-based access — Owner / Admin / Agent / Viewer
  • SSO via SAML 2.0 on Growth plans (Okta, Azure AD, Google Workspace)
  • MFA enforcement via TOTP for every admin account
  • Team transparency log — who did what, when, immutable
  • Session expiry + IP allow-listing on Growth plans

Incident response

Documented runbooks, on-call rotation, public status page, customer notification SLAs.

  • 24/7 on-call rotation for P0 / P1 incidents
  • Public status page with subscribe-by-email or RSS
  • Customer notification <24h for any data-impacting incident
  • Post-mortems for every P0/P1 published within 30 days
  • 99.95% monthly uptime SLA on Growth plans (with credits)
Where your data lives

Pick a region, pin it for life.

Three options. Pick by jurisdiction, latency, or compliance requirement.

🇪🇺

European Union

All plans

Primary: Frankfurt. Backup: Amsterdam. GDPR-aligned by design. EU traffic never leaves the EU without explicit cross-region consent.

🇨🇦

North America

All plans · default

Primary: Toronto, CA. Backup: N. Virginia, US. PIPEDA-aligned. Default for new sites unless EU region selected at signup.

🏢

Self-hosted

Custom plans

Deploy MyLiveChat into your own VPC (AWS, Azure, on-prem). For HIPAA, FedRAMP, regional sovereign-cloud requirements. Talk to sales for a quote.

Visitor data lifecycle

Right-to-be-forgotten, by API.

Most platforms make data deletion a support ticket. We make it an HTTP DELETE.

From collection to deletion in three commitments.

Visitor PII is the highest-risk data we hold. We treat it accordingly.

1 · Collected

Only what your SDK explicitly identifies, plus session metadata. No fingerprinting. No third-party trackers. No background telemetry from the widget.

2 · Stored

AES-256 at rest, regional data hosting, role-based access, audit-logged on every admin read. Backups encrypted with rotating keys.

3 · Deleted

DELETE /v1/api.ashx?resource=visitors&id=N — cascades to events, transcripts, and segments. Honors GDPR / CCPA right-to-be-forgotten.

Sub-processors

Every vendor we hand data to.

Full transparency. We notify on changes 30 days before they take effect.

Sub-processor Purpose Region
AWSPrimary application hosting + RDS managed databasesCA / EU / US
StripePayment processing for plan subscriptionsUS
PayPalAlternate payment processingUS
OpenAIAI chatbot inference (managed plan only; bypass with bring-your-own-key)US
SendGridTransactional email (signups, password reset, transcript delivery)US
CloudflareCDN + DDoS protection for the visitor-side widgetGlobal

Subscribe to sub-processor change notifications: [email protected]

Documentation

Available on request.

Sales engineering will walk your security team through these — or send the documents under NDA.

SOC 2 Type II report

Annual audit covering security, availability, confidentiality. Signed under NDA.

Request access →

CAIQ-Lite questionnaire

Pre-completed Cloud Security Alliance assessment (~250 control questions).

Request access →

Data Processing Agreement

GDPR-compliant DPA template. Pre-signed, ready to counter-sign on receipt.

Request DPA →

Penetration test summary

Annual third-party pen-test executive summary (full report under NDA).

Request access →

Architecture overview

Network diagram, data flow, key management. For your security team's review.

Request access →

Vulnerability disclosure

Found something? Email [email protected]. Bounty program in pilot.

Email security team →
Common questions

Security FAQ.

Where is my data physically stored?
Default region is North America (Toronto primary, Virginia backup). EU customers can pin to the EU region (Frankfurt primary, Amsterdam backup) at signup. Self-hosted deployments live wherever you put them. Region is pinned at site creation; swappable later via support ticket.
How do you handle visitor right-to-be-forgotten requests?
Two paths. As an admin, hit the Delete button on any visitor row in the dashboard — cascades through visitor + events + transcripts + segments. Or programmatically: DELETE /v1/api.ashx?resource=visitors&id=N with a write-scoped token. The deletion is immediate; backups retain the data for 30 days then it's gone.
Are you SOC 2 certified?
SOC 2 Type II, audited annually by an independent CPA firm. Report is available under NDA — ask via the request links above. ISO 27001 certification is in progress (controls aligned, cert audit scheduled).
Does the AI chatbot send my data to OpenAI?
On the managed AI plan: yes, the relevant chat snippets + KB chunks are sent to OpenAI to generate replies. We send the minimum needed and never train OpenAI's models on your data (their API ToS excludes this by default). On the bring-your-own-key plan, you own the OpenAI relationship directly. For zero-AI-data-egress, use self-hosted with a local model.
What about HIPAA for healthcare workloads?
HIPAA-compliant deployment is available via the self-hosted option only — we'll sign a BAA. Our managed cloud is not HIPAA-attested. If you need PHI in chat conversations, contact sales for a self-hosted quote.
How do I report a security vulnerability?
Email [email protected]. We respond within one business day, typically faster. Pilot bounty program rewards eligible findings; ask for the scope when you submit.
All in one platform

Same security commitments across the stack.

Live Chat Platform

Real-time messaging, agent console, smart triggers.

Learn more →

AI Chatbot

Grounded in YOUR knowledge base. Smart handoff to humans.

Learn more →

Knowledge Base

Public help center + AI training data, in one editor.

Learn more →

Hand this page to your security team.

Then loop us in. We've done this with hundreds of procurement reviews — we move at the pace your CISO needs.

Chat with your visitors, Increase sales and conversions, make your customers happy!

Get started for free!