SECURITY
CitaChat

At CitaChat, we understand that your data security and business continuity are priorities. This Security Policy describes the protocols we implement to protect information processed through our platform.

1. Infrastructure and Cloud Security

Our technological architecture is designed under Security by Design principles.

• Secure Hosting: CitaChat is hosted on world-class cloud providers (AWS/Google Cloud) that comply with ISO 27001 and SOC 2 certifications.
• Network Protection: We use web application firewalls (WAF) and intrusion detection systems.
• Environment Separation: Development, testing, and production environments are strictly segregated.

2. Encryption and Data Protection

• Data in Transit: All communications are encrypted using SSL/TLS 1.2 or higher protocols (HTTPS).
• Data at Rest: Databases are encrypted using the AES-256 standard.
• Sensitive Credentials: Integration credentials are stored encrypted and never displayed in plain text.

3. AI Assistant Security (RAG)

• Data Isolation: Uploaded documents are processed in an isolated environment and are not used to train public models.
• File Validation: Automatic malware and virus scanning on all uploaded files.
• Supervision: The system allows immediate human intervention ("Human-in-the-loop").

4. Access Control

• User Authentication: We enforce the use of strong passwords and secure token management.
• Staff Access: Restricted, logged access protected by multi-factor authentication (MFA).

5. Incident Management

• Backups: Automatic and periodic backups.
• Notification: Incident notification within no more than 72 hours.

6. Third-Party Integration Security (WhatsApp/Meta)

• Meta Compliance: We strictly adhere to Meta's security and commerce policies.
• API Tokens: It is the customer's responsibility to maintain the confidentiality of their WhatsApp API tokens.

7. Customer Responsibilities

Security is a shared responsibility. You agree to secure your access devices and not share credentials.