Security & Privacy
Built secure by default
Appalix uses industry-standard authentication, cryptographic verification, and strict data isolation to protect your business and your customers.
Authentication & access control
Multiple layers of protection
API key authentication
Every custom API and WordPress integration is protected by a unique API key passed via a request header. Keys are generated with 40 characters of cryptographic randomness and stored server-side — never exposed in frontend code or browser responses.
HMAC-SHA256 signature verification
Inbound webhook payloads (e.g. WooCommerce) are verified against an HMAC-SHA256 signature before any processing occurs. All comparisons use timing-safe equality checks (timingSafeEqual) to eliminate timing-attack vectors.
Session-based authentication
Every dashboard request passes through Next.js middleware that validates the user's JWT session via Supabase Auth. Unauthenticated requests are immediately redirected to the login page — no dashboard data is ever accessible without a valid session.
IP allowlisting
Custom API integrations support an optional IP allowlist. Requests from unlisted IP addresses are rejected before reaching your AI agent, giving you an additional layer of network-level access control.
Workspace isolation
Every resource — bots, conversations, integrations, knowledge sources — is scoped to a workspace. All database queries enforce workspace_id equality, so one account can never read or modify another's data.
Credentials never in the frontend
Integration secrets (Twilio credentials, Telegram bot tokens, Slack webhook URLs) are stored in encrypted JSONB columns and only accessed server-side. They are never serialised into page HTML or JavaScript bundles.
Data privacy
GDPR & data privacy commitments
We are committed to handling personal data responsibly and in compliance with applicable data protection regulations including GDPR.
Conversation data is stored in isolated, per-workspace tables and is never shared between accounts.
Users can download or permanently delete all conversation records from the dashboard at any time.
We collect only the minimum data required to operate the service — no advertising profiles, no data brokering.
Data is processed on infrastructure hosted in the EU / US regions with encryption in transit (TLS 1.2+) and at rest.
We do not sell, share, or transfer personal data to third parties except as required to operate the service (e.g. AI model inference).
Recommendations
Security best practices for your account
Never expose API keys in frontend code
Your integration API keys are for server-to-server communication only. If you build a custom integration, call the Appalix API from your backend, not from browser JavaScript.
Store credentials in environment variables
Use .env files or your hosting provider's secret manager for Twilio, Telegram, and webhook credentials. Never commit secrets to version control.
Rotate keys periodically
Regenerate your integration API keys regularly and immediately if you suspect a key has been compromised. Rotation takes effect instantly.
Monitor your conversations
Review the Conversations dashboard regularly for unusual activity patterns. Flag any unexpected message volumes or suspicious content.
Restrict allowed origins
For web widget integrations, set your domain(s) in the Allowed Origins field rather than leaving it open to *. This prevents your widget from being embedded on unauthorised sites.
Use IP allowlisting for Custom API
If your backend has a fixed IP or CIDR range, configure the IP allowlist on your Custom API integration to block all other sources.
Continuous
Access log monitoring
TLS 1.2+
Encryption in transit
At rest
Database encryption
Found a security issue?
We take security reports seriously. If you discover a vulnerability, please contact us responsibly before disclosure and we will work with you to address it promptly.