Security · PumAI

PumAI is built for Australian businesses that handle sensitive customer conversations across WhatsApp, Instagram, Messenger and Webchat. Security is a first-class concern across every layer of the platform. This page summarises how we protect your data, the controls available to your team, and how to report vulnerabilities.

Data protection

Encryption in transit

All traffic between your browser, end users, the dashboard and our APIs is served over HTTPS with TLS 1.2 or higher. HSTS is enforced (max-age=63072000; includeSubDomains; preload) so browsers always upgrade connections to HTTPS. Outbound connections to Meta, Whapi, OpenAI and Stripe are also TLS-encrypted.

Encryption at rest

Primary data stores (PostgreSQL, Redis, object storage) are encrypted at rest using AES-256 managed by our infrastructure provider. Channel credentials such as Meta page tokens and Whapi session keys are additionally encrypted application-side before they are written to the database — the raw token value is never stored in plaintext.

Passwords and secrets

User passwords are hashed with bcrypt. 2FA secrets (TOTP) are stored encrypted and never returned through the API. Backup codes are hashed on write and single-use. API keys and webhook secrets are rotatable from the dashboard.

Hosting and data residency

PumAI application infrastructure runs in Australian regions. Customer-facing endpoints, primary databases and Redis instances are hosted in Australia. Operational backups are stored encrypted within the same region with cross-zone redundancy. See our Privacy Policy for the full list of sub-processors and the jurisdictions where each operates (cross-border disclosures under APP 8).

Access controls

Role-based access — Owner, Admin and Member roles scope what team members can see and do within a business.
Two-factor authentication (2FA) — TOTP (Google Authenticator, 1Password, Authy, etc.) is available on every account. Admins can require 2FA for their team.
Multi-tenant isolation — every database query is scoped by businessId. A user in one business cannot read or write data belonging to another.
Session management — sessions are HTTP-only, Secure, SameSite cookies signed and rotated by NextAuth. You can revoke active sessions from the dashboard.
Least privilege in production — access to production systems is limited to named engineers and gated by SSO with 2FA. Access is logged and audited.

Application security

Content Security Policy with per-request nonce applied via middleware.
CSRF protection on all authenticated form posts.
Server-side input validation with Zod on every API and server action.
HMAC-SHA256 verification of Meta, Whapi and Stripe webhook signatures.
Redis-backed rate limiting on authentication, sign-up and public APIs.
Dependency scanning and automated upgrades for critical vulnerabilities.
OWASP Top 10 aligned code review for every change touching auth, payments or webhooks.

Backups and continuity

Automated daily backups of the primary database with 30-day retention.
Point-in-time recovery available for the last 7 days.
Backups are encrypted and stored redundantly across zones.
We rehearse database restore procedures on a scheduled basis.

Logging and monitoring

Structured logs (Pino) capture authentication events, webhook deliveries, billing changes and administrative actions. Logs are retained for 12 months. Production errors are surfaced via real-time alerts to on-call engineers. Anomalous sign-in patterns and rate-limit violations are recorded for investigation.

Incident response

If a security incident occurs we follow a documented runbook:

Detect and contain — isolate affected systems and revoke compromised credentials.
Assess impact — determine what data and which customers are affected.
Notify — under the Australian Notifiable Data Breaches scheme we notify affected individuals and the OAIC within the required timeframes.
Remediate — deploy the fix, rotate secrets, restore service.
Post-incident review — publish an internal write-up and implement preventative controls.

Compliance

Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Spam Act 2003 (Cth) — outbound messaging controls and unsubscribe handling.
Meta Platform Terms, WhatsApp Business Policy and Instagram Platform Policy.
SOC 2 Type II and ISO/IEC 27001 on our roadmap for Enterprise customers; enquiries at sales@pumai.com.au.

Sub-processors

We use a small set of vetted sub-processors to operate the service (OpenAI for AI responses, Stripe for payments, Meta for channel APIs, Whapi for WhatsApp, Google for optional SSO). The full list, purposes and jurisdictions are documented in our Privacy Policy.

Report a vulnerability

Email security@pumai.com.au. Please include:

A clear description of the issue.
Steps to reproduce.
Affected endpoint or component.
Impact assessment (what an attacker could do).
Your contact details for follow-up.

PGP key available on request.

Our commitment

We acknowledge reports within 2 business days.
We provide regular status updates while we investigate.
We coordinate public disclosure with you once a fix is deployed.
We do not pursue legal action against researchers acting in good faith and within this policy.

Scope

pumai.com.au and its subdomains.
The PumAI dashboard, APIs and embeddable webchat widget.
Our published Stripe, Meta and Whapi integrations.

Out of scope

Social engineering, phishing or physical attacks against PumAI staff.
Denial-of-service testing without prior arrangement.
Missing best-practice configurations that do not lead to a direct vulnerability (e.g. missing security headers on static pages).
Vulnerabilities in third-party services we consume — please report directly to the vendor.

Safe harbour

Researchers who follow this policy and avoid privacy violations, destruction of data and interruption of service are welcome to test against production. Use test accounts where possible and delete any data obtained during testing.

Contact

Security team — security@pumai.com.au