Security & Privacy

Security your customers can trust.

Encrypted, isolated, and stored in the EU. Never used to train AI.

EU only
Hosted in Frankfurt
Encrypted
In transit & at rest
Isolated
Per workspace
Never trains AI
Your data is yours

Security, by default

The protections behind every conversation.

Your data stays in the EU

Application, database, and storage on AWS in Frankfurt.

Encrypted

In transit and at rest.

Isolated

Private per workspace.

Never used to train AI

Not by us, and not by the model providers.

Access control

Roles, logged staff access.

Delete anytime

Erase on request.

Security at every layer

The full set of measures protecting your data.

Data protection

  • Encrypted in transit and at rest
  • EU data residency (Frankfurt)
  • Workspace isolation
  • Encrypted credentials & secrets

Access & accountability

  • Email & Google sign-in
  • Owner & member roles
  • Least-privilege staff access
  • Audit log

Application

  • Verified inbound webhooks
  • Rate limiting
  • Input validation
  • Agent embed domain control

Privacy & rights

  • Erasure on request
  • Data Processing Agreement
  • Published sub-processors

Your data stays yours.

We do not sell your data, and we never use it, or your customers' conversations, to train AI models.

Stored in the EU

On AWS in Frankfurt, eu-central-1.

Yours to delete

Erase any record, or everything, on request.

Never trains AI

Providers process messages only to reply.

Frequently asked

Everything customers and their security teams ask us, answered plainly.

See all legal documents →

Is my data encrypted?+
Yes. Your data is encrypted both in transit and at rest.
Where is my data stored?+
In the European Union. Our application, database, and file storage run on AWS in Frankfurt (eu-central-1).
Do you use my data to train AI models?+
No. We never use your data or your customers' conversations to train AI models.
Do the AI model providers train on my data?+
No. We use several AI model providers, and messages are sent to them only to generate a response. Under their API terms, that data is not used to train their models.
Who can access my data?+
Your workspace is isolated and never visible to other customers. Access by our team is limited to what is needed to run and support the service, and is recorded in an audit log.
Who can use or embed my agent?+
Agents are private by default. You control which domains can load your agent's widget, and only agents you make public can be used outside your workspace.
Can I delete my data, and how long do you keep it?+
You can erase an individual customer’s data or your entire workspace at any time. We keep your data until you choose to delete it.
Is Totebot GDPR compliant, and do you offer a DPA?+
We are built to help you meet GDPR: your data stays in the EU, we support data-subject rights including erasure, and we offer a Data Processing Agreement on request.
Which sub-processors do you use?+
We publish a current list of sub-processors that help operate Totebot, and we give notice before adding a new one.

Read the details

The agreements and policies behind everything above.