How is my data secured?

We use bank-grade encryption (AES-256) for data at rest and TLS 1.3 for data in transit. Your content is isolated in your own Supabase project environment.

Can I customize the look and feel?

Yes. You can fully customize the widget colors, launcher icon, welcome messages, and suggested prompts to match your brand guidelines.

What happens if the AI doesn't know the answer?

The AI will honestly state it doesn't know and can be configured to suggest contacting human support or searching specific help articles.

Do you offer higher-volume plans?

Yes. If you expect lots of conversations, reach out and we'll help you choose a plan that fits your business.

Security and Privacy

Your data security and customer privacy are our top priorities. Resly is built with enterprise-grade security and privacy-first principles.

Data Encryption

In Transit

All browser requests go through HTTPS via Vercel (app hosting) and Supabase (database/APIs)
TLS termination, certificate rotation, and cipher choices are managed by those providers

At Rest

Supabase encrypts Postgres disks and object storage by default
Conversations, tickets, and knowledge sources stay inside Supabase-managed databases
API keys are hashed before storage and stored only on the server

All data is encrypted both in transit and at rest using industry-standard encryption protocols.

Privacy Commitments

Your Data is Yours

We never use your content or conversations to train AI models
No data selling - We will never sell or share customer data with third parties
Transparent processing - You control what knowledge goes into the system
Customer consent - Your customers know they’re interacting with AI

Data Ownership

You own your data - Content, conversations, analytics
Export anytime - Download all data in standard formats
Delete on request - Remove customer conversations as needed
No lock-in - Take your data with you if you leave

Third-party AI: We use OpenAI for AI capabilities. Your data sent to OpenAI is NOT used to train their models per API usage agreement.

Compliance

We follow privacy-by-design practices—data ownership stays with you, content can be exported or deleted on request, and we do not use customer content to train global models.

Formal certifications such as SOC 2, ISO 27001, HIPAA, or a signed BAA are not yet available. Please reach out before purchasing if you require a specific attestation.

Access Control

Role-Based Permissions

Four access levels for team members:

Role	Permissions
Owner	Full access including billing
Admin	Full dashboard access, no billing
Editor	Modify content and settings
Viewer	Read-only access

Authentication

Email/password auth powered by NextAuth
Session-based access for admin dashboard
Password reset via signed email links
Automatic session timeout after inactivity

API Security

API keys scoped to your organization
Keys encrypted and hashed in database
Rotatable - Update keys anytime without downtime
Rate limiting to prevent abuse

Infrastructure Security

Cloud Infrastructure

Front-end + serverless API routes run on Vercel
Persistence, authentication, and storage are hosted by Supabase
Backups, redundancy, and patching are handled by those providers; we do not operate custom infrastructure yet

Network Security

Supabase service-role keys stay on the server and Row Level Security protects org data
Rate limiting is enforced inside key API routes (e.g., /api/chat)

Data Residency

Primary infrastructure currently lives in US-based regions (Vercel + Supabase)
CDN distribution via Vercel’s global edge network for faster asset delivery

Privacy Practices

Data Collection

We collect only what’s necessary:

From customers using widget:

Messages sent to AI
Optional: email, name (if provided)
Session metadata (timestamp, page URL)
Tool execution results

From administrators:

Account information (email, name)
Knowledge base content
Usage analytics
Billing information (via Stripe)

Data Usage

Your data is used only for:

Providing the service (answering customer questions)
Improving your specific AI agent
Analytics and reporting for your account
Support and troubleshooting when needed

Never used for: Training our AI models, selling to third parties, advertising, or anything not directly related to providing you service.

Data Retention

Conversations: Retained per your plan (customizable for Enterprise)
Knowledge base: Retained while account active
Analytics: Aggregated, anonymized after 90 days
After cancellation: Data preserved for 90 days, then deleted unless reactivated

Security Best Practices

For Administrators

Use strong passwords - 12+ characters, unique to Resly
Rotate API keys regularly (every 90 days recommended)
Review team access periodically - Remove inactive users
Monitor usage for unusual patterns
Enable 2FA when available (coming soon)

For Deployment

Use HTTPS - Widget requires secure site
Secure API keys - Never expose in client-side code
Environment variables - Store keys in env vars, not code
Limit integrations - Only connect necessary services
Review logs - Monitor for unauthorized access attempts

Incident Response

Security Monitoring

24/7 monitoring of infrastructure
Automated alerts for suspicious activity
Log analysis for security events
Regular vulnerability scanning

Incident Protocol

If security incident occurs:

Immediate containment - Stop the threat
Investigation - Determine scope and impact
Notification - Inform affected customers within 72 hours
Remediation - Fix vulnerability, prevent recurrence
Post-mortem - Document and learn

Enterprise customers receive direct notification of any security incidents affecting their data.

Third-Party Services

Service Providers We Use

OpenAI - AI capabilities

Data not used for training
API-only access (not ChatGPT)
Enterprise data policies apply

Stripe - Payment processing

PCI DSS compliant
Card data never touches our servers
Industry standard for payments

Supabase - Database hosting

SOC 2 Type II certified
GDPR compliant
Data encrypted at rest

Vetting Process

All third-party services are:

Security audited before integration
Contractually obligated to protect data
Regularly reviewed for compliance
Replaceable if standards drop

Questions About Security?

We’re happy to discuss how we protect your data, walk through our architecture, or review custom requirements.

Contact: alexwohl@accelara.ai

Next Steps

Review support options - Get help when needed
Check compliance - Enterprise compliance features
Contact sales - Enterprise security discussion
Privacy Policy - Full legal privacy policy
Terms of Service - Complete terms and conditions