ViveReply
Security & Compliance

Your data. Protected everywhere.

ViveReply is built on enterprise-grade security foundations. From encrypted storage to GDPR compliance and AI safety guardrails — every layer of the stack is hardened.

TLS 1.3
Encryption in Transit
AES-256
Encryption at Rest
EU + UK
GDPR Compliant
99.9%
Uptime SLA

Data Encryption

TLS 1.3 in Transit

All data transmitted between your browser, Shopify webhooks, and the ViveReply API is encrypted using TLS 1.3 — the latest and most secure transport standard.

AES-256 at Rest

Customer message data, merchant configurations, and Shopify store metadata are encrypted at rest using AES-256 managed keys within Supabase.

Database Row-Level Security

Every database query is scoped by workspace ID using Supabase Row Level Security (RLS). It is architecturally impossible for one merchant to access another's data.

GDPR & Privacy

GDPR Compliant by Design

ViveReply processes personal data only as necessary to deliver the service. We support all GDPR data subject rights: access, portability, rectification, and erasure.

Shopify GDPR Webhooks

We register all three mandatory Shopify GDPR webhook topics (customers/data_request, customers/redact, shop/redact) at installation and process them within 30 days.

No Data Selling

We do not sell, license, or share your merchant data or your customers' personal data with any third party for advertising or commercial profiling purposes.

Data Deletion on Request

Merchants can request full workspace deletion at any time. End-customers can request deletion of their message history via our Data Deletion page.

Access Control

OAuth-Only Authentication

ViveReply never stores raw passwords. Dashboard login uses NextAuth.js with OAuth 2.0 providers. Shopify integration uses the official OAuth PKCE flow.

HMAC Webhook Verification

All inbound Shopify webhooks are verified using HMAC-SHA256 signature validation before any processing occurs, preventing spoofed event injection.

Scoped API Tokens

API tokens issued from the dashboard carry minimum required scopes. Revocation takes effect immediately via our Redis-backed token store.

SSO / SAML (Scale plan)

Enterprise customers on the Scale plan can configure SAML 2.0 single sign-on, integrating ViveReply with Okta, Azure AD, or any SAML-compatible identity provider.

Infrastructure & Uptime

99.9% Uptime SLA (Scale plan)

Scale plan merchants receive a contractual 99.9% monthly uptime SLA backed by our distributed Vercel + Railway infrastructure with automatic failover.

Global Edge Deployment

Marketing site, dashboard, and widget are served from Vercel's edge network across 40+ global regions, ensuring fast load times for merchants worldwide.

Database Backups

Supabase maintains continuous WAL-based backups with point-in-time recovery (PITR) up to 7 days for Standard plans and 30 days for Enterprise.

Independent Webhook Service

The inbound webhook processor runs as an isolated Railway service. A spike in webhook load does not affect dashboard or AI reply performance.

AI & LLM Safety

No Training on Your Data

Conversations and store data sent to OpenAI and Google Gemini are processed under zero-data-retention (ZDR) agreements. Your data is never used to train public models.

PII Scrubbing Pipeline

Before any data reaches external LLM APIs, our pipeline strips phone numbers, email addresses, and payment references to minimize PII exposure.

Confidence Thresholds & Escalation

If the AI confidence score falls below our threshold, the conversation is automatically routed to a human agent — preventing low-quality or harmful replies from reaching customers.

Audit Logs

Every AI reply, human handover, and automated trigger is logged with timestamp, model version, confidence score, and agent ID for full auditability.

Report a Vulnerability

Found a security issue? We take all reports seriously and respond within 24 hours. Responsible disclosure reports are eligible for credit in our changelog.

security@vivereply.com

Legal & Privacy Resources

Review our full legal documentation, including privacy policy, terms of service, and data deletion instructions.