Security & Privacy

Your data is safe with us

AURA is built with security and privacy at every layer — from encrypted credentials to strict tenant isolation and responsible data governance.

TLS 1.2+ In Transit
AES-256 Encrypted Storage
Tenant Isolation
RBAC Access Control

Data Encryption

All data transmitted between your browser, your customers, and Aura AI is encrypted using TLS 1.2 or higher. Sensitive credentials — such as WhatsApp access tokens, page tokens, and API keys — are stored at rest using AES-256-CBC encryption. Decryption keys are never stored alongside the encrypted data.

  • TLS 1.2+ enforced on all connections (HTTP Strict Transport Security)
  • AES-256-CBC encryption for all stored credentials and integration tokens
  • Passwords are never stored — Aura uses magic-link authentication only

Tenant Isolation

Aura AI is a multi-tenant platform, and tenant isolation is a core architectural principle. Every conversation, bot, knowledge source, lead, and team member is scoped to a single tenant. It is architecturally impossible for one tenant to read or modify another tenant's data.

  • Every database record is keyed by tenantId — no cross-tenant queries are possible
  • API endpoints enforce tenant ownership on every read and write
  • File uploads and knowledge base content are isolated per tenant

Access Control

Aura AI uses Role-Based Access Control (RBAC) across all authenticated areas. Team members are assigned roles — Owner, Admin, or Agent — with different permission levels. Authentication is handled via magic links (no passwords stored), reducing the risk of credential theft.

  • Three-tier RBAC: Owner → Admin → Agent with scoped permissions
  • Magic-link authentication — no passwords ever stored
  • Session tokens are short-lived and invalidated on logout
  • SuperAdmin panel (Gudam) is separate from the tenant application and independently protected

Data Ownership & Governance

You own your data — always. Aura AI does not sell your data to third parties, does not use your customer conversations to train AI models, and does not aggregate customer data across tenants for profiling.

  • Your customer conversations are never used to train AI models
  • Your data is never sold, shared, or resold to third parties
  • You can export or delete your data at any time
  • Account deletion removes all associated data after a 14-day grace period

API & Webhook Security

All webhooks are delivered over HTTPS. Webhook endpoints validate payloads using verify tokens (for Meta platforms) and signed secrets where available. Inbound webhook endpoints are hardened against replay attacks and always return 200 immediately to prevent retry storms.

  • Meta webhook verify tokens are encrypted and stored per-tenant
  • Webhook endpoints reject unverified payloads with a 403 response
  • Rate limiting applied to all public API endpoints
  • CSRF protection on all authenticated web routes

Meta Platform Compliance

Aura AI operates exclusively through Meta's official APIs (WhatsApp Business Platform, Messenger Platform, Instagram Messaging API). We enforce all platform policies at the application level.

  • Only official Meta Business APIs are used — no unofficial scraping or workarounds
  • WhatsApp template messages require explicit pre-approval from Meta
  • 24-hour messaging window rules are respected on Messenger and Instagram
  • End-user opt-in is required before any outbound messaging
  • Spam, scraped contact lists, and deceptive messaging are prohibited and enforced

Prohibited Uses

To protect all users and comply with platform policies, the following uses are strictly prohibited on Aura AI:

  • Sending unsolicited messages or spam to contacts who have not opted in
  • Using scraped, purchased, or harvested contact lists
  • Impersonating other people, brands, or organisations
  • Circumventing official channel APIs or platform terms of service
  • Any activity that violates applicable law or Meta's Business Platform policies

Responsible Disclosure

If you discover a security vulnerability in Aura AI, please report it responsibly. We take all security reports seriously and will acknowledge your report within 48 hours.

mahdy@augmex.io

Please include a description of the issue, steps to reproduce, and any relevant screenshots or proof of concept. Do not publicly disclose the vulnerability until we have had a chance to address it.

Have questions about our security practices? Check our Help Center.

Visit Help Center