SecurityCompliance

Compliance

GDPR

Data Collected

DataPurposeRetention
OAuth profile (name, email, avatar)AuthenticationUntil account deletion
API keys (hashed)Consumer authenticationUntil revoked
Help request metadataRequest tracking24 hours (auto-expiry)
Encrypted messagesHelp request content24 hours (auto-expiry)
Encrypted responsesConsumer response delivery24 hours (auto-expiry)

Data Handling

  • Encryption at rest — all message content is encrypted using RSA-OAEP + AES-256-GCM
  • Auto-expiry — requests and their data expire after 24 hours
  • Zero-knowledge responses — the platform cannot read consumer responses
  • No tracking — no analytics, cookies (beyond auth session), or third-party trackers

Data Subject Rights

  • Access — view your data in the dashboard
  • Deletion — revoke API keys, delete account
  • Portability — export via API

Self-Hosting

For maximum data sovereignty, self-host your own instance. All data stays on your infrastructure.

Security Vulnerability Reporting

Do not open public issues for security vulnerabilities.

Report security issues via email: security@thomasansems.nl

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
API SecurityContributing