Security
A short, honest summary. If you need a longer document for procurement, email us.
All traffic between your browser, our servers, and your customers is encrypted with TLS 1.2+. Data at rest in our managed Postgres database is encrypted using AES-256. Database backups are encrypted by the storage layer.
We host on Vercel (application) and Supabase (managed Postgres + storage). Both providers operate SOC 2 Type II certified infrastructure. Production data is isolated per organisation by row-level security policies.
Every API call is authenticated. Each organisation’s data is scoped via row-level security on the database itself, not just at the application layer. Internal access to customer data is limited to engineers on call, logged, and reviewed.
WhatsApp messages route through Whapi, a WhatsApp Business solution provider. Messages are signed with a per-instance secret. We never store plaintext WhatsApp credentials in our application code.
Card payments are processed by PayFast, a PCI-DSS Level 1 compliant South African payment gateway. We never see or store full card numbers. PayFast signatures are validated server-side on every webhook.
Database backups run daily and are retained for 7 days. Point-in-time recovery is available for the past 7 days. We test restore procedures during onboarding of new infrastructure.
Passwords are hashed with bcrypt. Session tokens are stored as HttpOnly, Secure cookies with SameSite=Lax. Magic-link login is available as an alternative to passwords.
If you believe you have found a security issue, please email hello@clientpulse.co.za. We respond within one SA business day, will not pursue legal action against good-faith researchers, and credit reporters in our changelog if requested.
Start at R799 your first month (R1 100/month after) — a 24/7 AI receptionist that never sleeps, never forgets, and sounds exactly like you.