Security
/ Disclosure process, tenancy boundaries, and what integrators should verify.
Report a vulnerability
Email security@humaner.io with reproduction steps. We acknowledge within 2 business days. Do not file public issues for exploitable findings.
Multi-tenant boundaries
- Every API key and session is scoped to one organization.
- Agent public IDs are not secrets but are domain-bound on widget surfaces.
- Dashboard routes enforce org membership on every data call.
Chat data
Message content and tickets live in your Humaner workspace. Configure retention via MESSAGE_RETENTION_DAYS and your org privacy settings. You control what you send via identify and live-data payloads.