Trust & security
Enterprise-grade security,
by default.
We treat your customer conversations and contact data as sensitive by default. Here’s exactly how we protect it.
Row-level security on every table
All workspace data is isolated using Postgres RLS. A user can only read or write rows in workspaces they belong to — enforced at the database, not the app layer. Roles (owner, admin, editor, agent) are stored in a dedicated table, never on user profiles, to prevent privilege escalation.
Encrypted credentials & secrets
WhatsApp access tokens, API keys, and webhook secrets are stored in restricted tables and only accessed by trusted server functions. We never expose raw tokens to the browser. API keys are stored as one-way SHA-256 hashes — even we can't read them after creation.
Full audit log
Every send, edit, invite, role change, and payment review is recorded with the actor, timestamp, and metadata. Owners can review activity at any time fromapp › Settings › Activity.
GDPR self-serve
Users can export all of their personal data and request account deletion directly from their profile page. Workspace owners can purge contacts, conversations, and suppressions on demand. We honour deletion requests within 30 days.
Infrastructure
Hosted on Cloudflare Workers (edge) and Supabase (Postgres + Auth + Storage), both with SOC 2 Type II audits. Daily backups, point-in-time recovery, and webhook signature verification on every payment & WhatsApp event.
Need a DPA, security review, or pen-test report?
We're happy to provide one. Email security@valorsbox.com and we'll respond within one business day.