CitaChat Logo
Get Started arrow_forward

SECURITY
CitaChat LLC

Last updated: April 12, 2026

At CitaChat, we understand that your data security and business continuity are priorities. This Security Policy describes the technical, administrative, and physical protocols we implement to protect the integrity, confidentiality, and availability of information processed through our conversational AI agent platform.

1. Infrastructure and Cloud Security

Our technological architecture is designed under Security by Design principles.

  • Secure Hosting: CitaChat is hosted on Railway (infrastructure on AWS), a provider that complies with SOC 2 Type II and ISO 27001 certifications.
  • Network Protection: We use web application firewalls (WAF) and anomaly detection systems to prevent unauthorized access.
  • Environment Separation: Development, testing, and production environments are strictly segregated to prevent accidental data leaks.
  • High Availability: The architecture is designed to maintain continuous service availability with real-time monitoring.

2. Encryption and Data Protection

We implement robust cryptographic measures to protect information both in transit and at rest.

  • Data in Transit: All communications between the User's browser, our API, and WhatsApp/Meta servers are encrypted using TLS 1.2 or higher (mandatory HTTPS).
  • Data at Rest: Databases where we store lead information and configurations are encrypted with AES-256.
  • Sensitive Credentials: WhatsApp API tokens and integration credentials are stored encrypted and never exposed in plain text, logs, or user interfaces.
  • Access Tokens: Periodic rotation of internal authentication tokens is implemented.

3. AI Agent and Knowledge Base Security

Since CitaChat allows the upload of documents and configurations for the AI Agent, we apply specific controls:

  • Per-Client Data Isolation: Each client's information and configurations are processed in isolated contexts. One client's data is never accessible by another client nor mixed into response models.
  • Data for Proprietary AI R&D: Data used for the development of CitaChat's proprietary models is anonymized before any processing for this purpose. Direct identifiers are systematically removed. (See Privacy Policy §6.)
  • File Validation: All files uploaded to the Platform undergo format validation and malicious content scanning.
  • Human Supervision: The system allows immediate human intervention to correct or stop the Agent if anomalous behavior or inappropriate responses are detected.

4. Access Control and Authentication

Data access is regulated under the principle of least privilege.

  • User Authentication: Sessions are managed through secure tokens with automatic expiration.
  • CitaChat Staff Access: Only authorized technical staff have access to production infrastructure, with mandatory multi-factor authentication (MFA) required.
  • Roles and Permissions: The platform differentiates access levels to ensure that only authorized administrators modify critical Agent configurations.
  • Access Auditing: CitaChat maintains system access logs for internal staff, available for review in case of incidents.

5. Incident Management and Backup

  • Backups: We perform automatic and periodic backups of the database and configurations.
  • Breach Notification: In the event of a security breach affecting users' personal data, CitaChat will notify the affected Client within no more than 72 hours from detection, in accordance with GDPR standards and Meta Platforms Inc. policies.
  • Continuous Monitoring: We use observability tools (including Langfuse for AI monitoring) to detect anomalies, unusual behavior, or unauthorized access attempts in real time.
  • Incident Response Plan: CitaChat has a documented internal security incident response procedure that includes containment, analysis, notification, and post-incident improvement.

6. Meta / WhatsApp Business API Integration Security

CitaChat operates as a verified technology provider by Meta Platforms Inc. for the use of the WhatsApp Business API (Cloud API).

  • Meta Compliance: We strictly adhere to the Meta Platform Terms of Service, the WhatsApp Commerce Policy, and security requirements for BSP providers.
  • Direct Integration: CitaChat integrates the WhatsApp API directly (without additional BSP intermediaries), eliminating additional points of failure and reducing data exposure in transit.
  • WhatsApp API Tokens: Client WhatsApp access tokens are stored encrypted. It is additionally the client's responsibility to maintain the confidentiality of their Meta Business credentials.
  • Message Auditing: CitaChat maintains WhatsApp interaction logs in accordance with Meta's requirements for verified providers.

7. Government Requests — Security Procedure

CitaChat has an internal protocol for managing data access requests from public authorities:

  • Every request is reviewed by the management team to validate its legality and proportionality before any action is taken.
  • CitaChat will internally document each request received, including the legal basis invoked, the data eventually disclosed, and the reasoning applied.
  • In the case of requests deemed illegitimate, excessive, or contrary to data subjects' rights, CitaChat reserves the right to challenge them judicially.
  • CitaChat will notify the affected User to the extent permitted by applicable law.

8. Customer Responsibilities

Security is a shared responsibility. The User agrees to:

  • Not share their access credentials with third parties.
  • Secure the devices from which they access CitaChat.
  • Not upload highly sensitive information (protected medical data, regulated banking or financial information) that is not necessary for the automated commercial service function.
  • Keep the Agent's configurations up to date to reflect changes in their products, services, or service policies.
  • Notify CitaChat immediately upon any suspicion of unauthorized use of their account.

9. Security Contact

To report vulnerabilities, security incidents, or audit requests:

Email: soporte@citachat.co
Phone: +57 311 635 4428

CitaChat values responsible vulnerability disclosure and will respond within no more than 48 business hours.

CitaChat LLC — soporte@citachat.co — citachat.co