GetSupportX
Security & trust

Your customer data stays yours, period

Strict multi-tenant isolation, SSO and SCIM, GDPR tooling, and AI that never trains shared models on your conversations. Bring your own key or use platform credits — your data never leaves the lane you put it in.

Trust isn't a tier. From the smallest free workspace to the largest enterprise tenant, the same isolation model, encryption and access controls protect every conversation. Below is how we keep your data safe across every layer of the platform.

How we protect data

Defense in depth, across every layer

From the database row to the incident bridge, security is engineered into how GetSupportX is built and run.

Multi-tenant data isolation

Every workspace's data is isolated at the data layer. A request-scoped tenant context (AsyncLocalStorage) plus a Prisma query extension stamps and scopes every read and write, so one customer can never see another's data.

Encryption in transit & at rest

All traffic is served over TLS, and data is encrypted at rest in our managed database and object storage. Secrets and credentials are encrypted with envelope keys, never stored in plaintext.

RBAC & least privilege

Granular roles (admin, manager, agent) and seat types gate every action, with custom roles on higher tiers. Agents see only what their role allows; internal notes never reach end-user portals.

SSO & SCIM provisioning

Enforce single sign-on with SAML or OIDC, and automate joiner-mover-leaver with SCIM provisioning on Business and Enterprise — so access follows your identity provider, not a spreadsheet.

Audit logging & impersonation controls

Security-relevant actions are recorded in an audit log. Admin impersonation is gated, time-boxed and logged, so support access is always accountable and reviewable.

GDPR & data rights

Self-serve export and erasure tooling lets you fulfil data-subject requests, and we offer a signable DPA. You stay the controller; we act as processor under documented terms.

Secure development

Code review, dependency scanning and least-privilege service accounts are part of how we ship. Public endpoints are rate-limited, webhooks are HMAC-signed and SSRF-guarded, and inputs are validated server-side.

Infrastructure & uptime

We run on hardened, managed cloud infrastructure with network isolation, automated backups and a 99.99% uptime target. Capacity and health are monitored continuously.

Incident response

We maintain an incident response process with defined severities, on-call escalation and customer notification commitments. Material incidents are communicated promptly per our DPA.

Vendor & subprocessor management

We vet subprocessors for security and privacy before onboarding, bind them with data-protection terms, and publish the current list so you always know who's in the chain.

Reliability

Always on, always encrypted

99.99%
Uptime target
TLS 1.2+
Encryption in transit
AES-256
Encryption at rest
<72h
Breach notification
Compliance & data rights

The paperwork your team and legal need

Signable agreements, a clear privacy posture, and a published subprocessor list — so your due diligence is fast.

Data Processing Addendum

GDPR-ready terms covering processing, subprocessors and international transfers.

Read the DPA

Privacy Policy

What we collect, why, how long we keep it, and the rights you and your customers have.

Read the policy

Subprocessors

The current list of vendors that may process data on our behalf, kept up to date.

View subprocessors

Responsible disclosure

Found a vulnerability? We want to hear from you. Report it privately and we'll acknowledge promptly, investigate, and keep you updated through resolution. We don't pursue researchers acting in good faith.

[email protected]

What to include

  • A clear description of the issue and its potential impact
  • Steps to reproduce, with any proof-of-concept
  • Affected URLs, endpoints or components
  • Your contact details so we can follow up

Please give us reasonable time to remediate before any public disclosure, and avoid accessing or modifying other users' data.

Security FAQ

Common security questions

Every workspace is isolated at the data layer. A request-scoped tenant context (AsyncLocalStorage) combined with a Prisma query extension automatically scopes every read and stamps every write with the right workspace, so cross-tenant access is structurally prevented rather than left to per-query discipline.

No. AI features are grounded in your own knowledge base and conversations. You can bring your own model key or use platform credits, and your data is never used to train shared or third-party models.

Yes. SAML and OIDC single sign-on are available on Business and Enterprise, with SCIM provisioning to automate the joiner-mover-leaver lifecycle and custom roles for fine-grained access control.

We provide self-serve export and erasure tooling so you can fulfil access and deletion requests, plus a signable Data Processing Addendum. You remain the data controller; GetSupportX acts as a processor under documented terms.

We target 99.99% platform uptime, run on hardened managed infrastructure with automated backups, and monitor health continuously. Enterprise plans can include a contractual SLA.

Talk to our security team

Need a security review, a signed DPA, or answers for your vendor assessment? We're happy to help.