Security & data protection at WebSage

WebSage is built for small and medium businesses in the EU, so privacy and data protection are part of the product by design — not an afterthought. This page describes the measures we have in place today, written plainly and without overstating what we have earned.

All traffic between your browser, our APIs, and the chat widget is transmitted over HTTPS / TLS 1.2+. We do not serve the application over unencrypted connections.

Sensitive credentials — including OAuth access and refresh tokens, API keys, and connector secrets — are encrypted at rest with AES-256-GCM, using a key stored outside the database. Database storage volumes provided by our infrastructure partners are encrypted at rest.

Your data is hosted in the European Union. We choose infrastructure regions inside the EU so that customer and conversation data stays within the EU. We do not move your data to other regions for processing.

We operate under the GDPR. You retain control of your data: you can access, export, correct, or delete it. Where we act as a processor on your behalf, we do so under a data processing agreement — see our Data Processing Agreement.

We use third-party AI providers to generate responses. We never use your data to train third-party AI models, and our contracts with these providers prohibit them from using your content to train their models. Only the minimum content required to answer a given customer message is sent for processing.

• Every request is scoped to the business account that owns the data. Multi-tenant isolation is enforced at the database and vector-store level.
• Passwords are hashed with bcrypt; we never store them in plain text.
• Internal access to production systems is limited to the people who need it to operate the service, and access logs are retained for security review.

You can request an export of your data, or its deletion, at any time. When you delete your account, your account, business, conversation, knowledge-base, and connector data is removed within 30 days. To request an export or immediate deletion, email privacy@websage.app.

If you believe you have found a security vulnerability, we want to hear from you. Please email security@websage.app with details and steps to reproduce. We will acknowledge your report and work with you to resolve the issue. Please do not publicly disclose the issue until we have had a chance to address it.