Built like an adult product.

Each customer's conversation history lives in a physically separate database file. There is no cross-tenant query path in our codebase — the multi-tenant scheduler iterates files, not rows. A bug that leaks data between customers is architecturally impossible without modifying the routing layer itself.

Your Close.com + Anthropic API keys are encrypted with AES-256-GCM before they ever touch our database. The master encryption key lives only in the hosting environment's secret store — never in our database, never in our git history, never in our logs.

Passwords are hashed with bcrypt at cost factor 12 (~250ms per verify). Even a database leak does not expose customer passwords. Forgot-password flow wipes all existing sessions on consume — locks out attackers with stale cookies.

Every API request is gated by a middleware that resolves the session cookie → user → tenant_id → tenant database. The handler receives the right database directly; it never touches a global connection. Tenant scoping is not opt-in — it's the only way data is accessed.

Every login, password change, settings modification, billing event, and bot action is recorded in an append-only audit log with actor, IP, and timestamp. Forensic-grade trail for any incident investigation.

Daily outbound caps, business-hours gating per lead's local timezone, automatic STOP/UNSUBSCRIBE/QUIT detection, master kill switch, dry-run approval mode for new accounts. Compliance is the default, not an afterthought.

We test every change. Our public commit cadence includes 500+ automated tests covering the auth layer, tenant isolation, scheduler gates, and Stripe webhook handling. Customers on Enterprise plans can request access to compliance documentation.

We notify customers within 72 hours of becoming aware of a security incident affecting their data, consistent with applicable law. Our incident response runbook is available on request to Enterprise customers.