Security & Trust

1. Data Storage & Residency

All Konverze AI data — including your chatbot training data, conversation logs, account information, and uploaded documents — is stored on Microsoft Azure infrastructure located in the Central India region (Pune).

This means your data stays in India. We do not store primary data in the US, EU, or any other region. For EU customers, conversations are processed via AI APIs (OpenAI) with appropriate Standard Contractual Clauses (SCCs) in place — see Section 5 below.

• Primary database: Azure MySQL Flexible Server — Central India
• File storage: Azure Blob Storage — Central India
• Vector database (AI knowledge base): Qdrant — hosted on our Central India VM
• Cache layer: Redis — in-memory, same VM

2. Encryption

2.1 Data in Transit

All data transmitted between your browser, the Konverze AI widget, and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS-only connections. HTTP connections are automatically redirected to HTTPS at the Cloudflare and Nginx layers before reaching our application.

2.2 Data at Rest

All data stored on Azure infrastructure is encrypted at rest using AES-256 encryption — the same standard used by banks and government agencies. Encryption keys are managed by Azure Key Vault with automated rotation.

2.3 Authentication Tokens

We use httpOnly, Secure, SameSite=Lax cookies for authentication. This means your session token is completely inaccessible to JavaScript — it cannot be stolen by XSS attacks. We do not store tokens in localStorage or sessionStorage.

3. Application Security

• Rate limiting: All API endpoints are rate-limited per IP and per tenant to prevent abuse and brute-force attacks
• IP blocking: Automated abuse detection with persistent IP blocking for repeated violations
• Input validation: All user inputs are validated and sanitised server-side before processing
• API key isolation: Each tenant has a unique API key and public key — one tenant cannot access another's data under any circumstances
• CORS policy: Widget requests are validated against your registered domain — embedding on unauthorised domains is blocked
• Security headers: X-Content-Type-Options, X-Frame-Options (SAMEORIGIN), X-XSS-Protection, Referrer-Policy are set on all responses
• DDoS protection: Cloudflare DDoS mitigation is active in front of all infrastructure

4. Uptime & Reliability

• Infrastructure: Azure Virtual Machines with automated health monitoring
• Process management: PM2 with automatic restart on failure
• Reverse proxy: Nginx with Cloudflare in front for edge caching and failover
• Database: Azure MySQL Flexible Server with automated backups
• Monitoring: Active uptime monitoring with alerting to engineering team
• Incident response: Critical issues acknowledged within 1 hour, resolved within 4 hours

For real-time status, visit status.konverze.in.

5. Data Backups

• Database: Automated daily backups retained for 7 days via Azure MySQL automated backup
• File storage: Azure Blob Storage with geo-redundant storage (GRS) — data is replicated to a secondary Azure region automatically
• Backup testing: Restore procedures are tested quarterly to ensure backups are usable
• Recovery Time Objective (RTO): Target 4 hours for full service restoration from backup
• Recovery Point Objective (RPO): Maximum 24 hours of data loss in a catastrophic failure scenario

6. AI & Sub-Processor Security

When your chatbot processes a visitor message, the message is sent to our AI provider (OpenAI) to generate a response. This is the only third-party sub-processor that receives conversation data.

6.1 Sub-Processors

• Microsoft Azure (infrastructure, storage, compute) — India region
• OpenAI, L.L.C. (LLM API for response generation) — US-based, SCCs in place
• Cloudflare (CDN, DDoS protection, DNS) — global edge
• Razorpay (payment processing for Indian customers) — India
• Zoho Mail (transactional email delivery) — India

6.2 OpenAI Data Handling

Per OpenAI's API terms: data sent via the API is not used to train OpenAI models. Messages are processed ephemerally to generate a response and are not stored beyond 30 days for abuse monitoring purposes.

7. Compliance

• GDPR (EU/EEA): Compliant. Lawful bases documented. SCCs in place for international transfers. DPA available on request.
• DPDPA 2023 (India): Compliant. Grievance Officer appointed. Data Principal rights honoured.
• CCPA / CPRA (California): Compliant. No data selling or sharing for advertising.
• IT Act 2000 (India): Compliant. Reasonable security practices maintained as required under Section 43A.

8. Access Controls

• Principle of least privilege: Engineering team members only have access to the systems required for their role
• Production access: Direct production database access is restricted to senior engineers and requires SSH key authentication
• Tenant isolation: Every API request is scoped to a single tenant — no cross-tenant data access is possible at the application layer
• Superadmin controls: Platform-level admin access requires two-factor authentication and is logged via immutable audit trail

9. Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in the Konverze AI platform, please report it responsibly:

10. Data Processing Agreement (DPA)

For enterprise customers and organisations subject to GDPR who require a formal Data Processing Agreement (DPA), we provide one on request. The DPA covers:

• Scope and purpose of data processing
• Technical and organisational security measures
• Sub-processor list and notification obligations
• Data subject rights assistance
• International transfer mechanisms (SCCs)
• Data breach notification obligations

To request a DPA, email [email protected] with subject line "DPA Request".

11. Contact