Security

/ Disclosure process, tenancy boundaries, and what integrators should verify.

Report a vulnerability

Email security@humaner.io with reproduction steps. We acknowledge within 2 business days. Do not file public issues for exploitable findings.

Multi-tenant boundaries

  • Every API key and session is scoped to one organization.
  • Agent public IDs are not secrets but are domain-bound on widget surfaces.
  • Dashboard routes enforce org membership on every data call.

Chat data

Message content and tickets live in your Humaner workspace. Configure retention via MESSAGE_RETENTION_DAYS and your org privacy settings. You control what you send via identify and live-data payloads.