PressTwoPressTwo
Log inGet Started Free

Security

Your data security is our priority

We build security into every layer of the PressTwo platform. Here's how we protect your business data and your customers' conversations.

Infrastructure Security

Our platform is hosted on Vercel and Supabase, industry-leading infrastructure providers with SOC 2 Type II compliance.

  • All infrastructure runs on isolated, managed environments with automatic security patches
  • Network traffic is encrypted in transit using TLS 1.2 or higher
  • Database connections are encrypted and access is restricted to authorized services only
  • Automatic DDoS protection and rate limiting at the edge

Data Encryption

  • In transit: All data transmitted between your browser, our servers, and third-party services is encrypted using TLS 1.2+
  • At rest: All stored data, including Knowledge Base Data, conversation logs, and account information, is encrypted using AES-256
  • API keys and secrets: Stored using encrypted environment variables, never committed to source code

Data Isolation

  • Each customer's data is logically isolated using row-level security policies
  • Knowledge Base Data is scoped to individual bots — no cross-contamination between customers
  • AI model inference requests are stateless — conversation context is not persisted by the AI provider
  • Your data is never used to train AI models or shared with other customers

Authentication and Access Control

  • User authentication is handled by Supabase Auth with bcrypt password hashing
  • Session tokens are HTTP-only, secure, and scoped
  • API endpoints are protected by authenticated middleware — no anonymous access to customer data
  • Bot widget endpoints verify bot ownership before serving configurations

AI Model Security

  • We use enterprise-grade AI APIs from providers with strong data protection commitments
  • Prompts include guardrails to prevent prompt injection, jailbreaking, and off-topic responses
  • Your Knowledge Base Data is injected as context at inference time — it is not used to fine-tune or train any models
  • AI providers are contractually prohibited from using your data for model training

Payment Security

  • All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor
  • We never store credit card numbers, CVVs, or full payment details on our servers
  • Billing portal and subscription management are handled through Stripe's secure hosted pages

Incident Response

  • We maintain an incident response plan for security events
  • Affected customers will be notified within 72 hours of a confirmed data breach
  • Post-incident reviews are conducted to prevent recurrence

Have security questions?

We're happy to discuss our security practices in detail or complete your vendor security questionnaire.

Contact Our Team