ViveReply is built on enterprise-grade security foundations. From encrypted storage to GDPR compliance and AI safety guardrails — every layer of the stack is hardened.
All data transmitted between your browser, Shopify webhooks, and the ViveReply API is encrypted using TLS 1.3 — the latest and most secure transport standard.
Customer message data, merchant configurations, and Shopify store metadata are encrypted at rest using AES-256 managed keys within Supabase.
Every database query is scoped by workspace ID using Supabase Row Level Security (RLS). It is architecturally impossible for one merchant to access another's data.
ViveReply processes personal data only as necessary to deliver the service. We support all GDPR data subject rights: access, portability, rectification, and erasure.
We register all three mandatory Shopify GDPR webhook topics (customers/data_request, customers/redact, shop/redact) at installation and process them within 30 days.
We do not sell, license, or share your merchant data or your customers' personal data with any third party for advertising or commercial profiling purposes.
Merchants can request full workspace deletion at any time. End-customers can request deletion of their message history via our Data Deletion page.
ViveReply never stores raw passwords. Dashboard login uses NextAuth.js with OAuth 2.0 providers. Shopify integration uses the official OAuth PKCE flow.
All inbound Shopify webhooks are verified using HMAC-SHA256 signature validation before any processing occurs, preventing spoofed event injection.
API tokens issued from the dashboard carry minimum required scopes. Revocation takes effect immediately via our Redis-backed token store.
Enterprise customers on the Scale plan can configure SAML 2.0 single sign-on, integrating ViveReply with Okta, Azure AD, or any SAML-compatible identity provider.
Scale plan merchants receive a contractual 99.9% monthly uptime SLA backed by our distributed Vercel + Railway infrastructure with automatic failover.
Marketing site, dashboard, and widget are served from Vercel's edge network across 40+ global regions, ensuring fast load times for merchants worldwide.
Supabase maintains continuous WAL-based backups with point-in-time recovery (PITR) up to 7 days for Standard plans and 30 days for Enterprise.
The inbound webhook processor runs as an isolated Railway service. A spike in webhook load does not affect dashboard or AI reply performance.
Conversations and store data sent to OpenAI and Google Gemini are processed under zero-data-retention (ZDR) agreements. Your data is never used to train public models.
Before any data reaches external LLM APIs, our pipeline strips phone numbers, email addresses, and payment references to minimize PII exposure.
If the AI confidence score falls below our threshold, the conversation is automatically routed to a human agent — preventing low-quality or harmful replies from reaching customers.
Every AI reply, human handover, and automated trigger is logged with timestamp, model version, confidence score, and agent ID for full auditability.
Found a security issue? We take all reports seriously and respond within 24 hours. Responsible disclosure reports are eligible for credit in our changelog.
security@vivereply.comReview our full legal documentation, including privacy policy, terms of service, and data deletion instructions.