Security Overview
Version 2.0 - Effective 2026-07-08 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
This page summarises how Amaigo secures the Whistle intake widget and the data it processes. It is written to be attached to a vendor due-diligence review. For pre-answered questionnaire responses, see the Security and Due-Diligence Questionnaire. For how we handle incidents, see the Breach Response Procedure.
Where your data lives
Personal data is stored in the EU only. Our AI provider processes redacted free text in the US under the safeguards described in our DPA and Transfer Risk Assessment.
| Service | Provider | Region | Function |
|---|---|---|---|
| Website and serverless functions | Vercel | Frankfurt (fra1) | Marketing site, booking pages, functions |
| Application server and PostgreSQL | Railway | Amsterdam | Chat server, lead storage, audit log |
| DNS, WAF, bot mitigation | Cloudflare | Global edge (no personal-data storage) | DDoS protection, firewall, Turnstile |
| Booking | Cal.com | EU | Consultation scheduling |
| Transactional email | Resend / Postmark | EU | Lead alerts, booking confirmations |
| AI model | Anthropic | US | Chat responses on redacted text only |
The full list, including transfer mechanisms, is on the sub-processor list.
Encryption
- In transit: TLS on every connection, including between our services and every provider above.
- At rest: encryption at rest via the managed PostgreSQL database on Railway.
Privacy by design
- Structured contact capture: names, phone numbers, and emails are collected through structured form fields that never pass through the AI.
- Automated PII redaction: free-text messages are redacted (emails, phone numbers, long digit runs) before any AI processing.
- No transcripts by default: raw conversation transcripts are not stored unless a client explicitly enables them.
- No chat content in logs: server logs never contain message content.
- Append-only audit log: compliance-relevant events are recorded in an append-only log that contains no personal data.
See the Privacy Policy and AI Transparency Notice for the full data-flow description.
Application security
- Per-tenant isolation: every database query is scoped by client id; tenant identifiers are validated on input; no cross-tenant access paths exist.
- Input validation: every endpoint validates its input against a Zod schema; invalid or unknown tenant configurations fail safe.
- Security headers: strict headers including HSTS, frame-ancestors, and content-type options.
- Parameterised database access: no raw SQL string construction.
- Rate limiting: per-IP and per-tenant limits on all public endpoints.
- Bot mitigation: Cloudflare Turnstile on booking, plus Cloudflare WAF in front of everything.
- Admin endpoints: export, erasure, and metrics endpoints require a server-side bearer token and are never exposed to the widget.
Key and secret management
- Secrets (API keys, database credentials, admin tokens) are held in backend environment configuration only, on Railway and Vercel.
- No secrets ship in the widget bundle or are ever available to the browser; the widget receives only a filtered public configuration.
- CI secret scanning prevents credentials being committed to source control.
- Secrets are rotated on personnel changes and on any suspected exposure or security incident.
Operations
- Least-privilege database user for the application; no shared or default credentials.
- Managed backups via the database provider.
- Automated retention purge per the Retention Schedule (default 365 days, configurable per client).
- Dependency scanning and a security review before each release.
Certifications: an honest roadmap
Amaigo does not currently hold SOC 2, ISO 27001, or Cyber Essentials certification. These are planned as the platform matures, and we know SOC 2 is commonly treated as the floor by legal-industry security reviewers. In the meantime, this page and the Security and Due-Diligence Questionnaire exist to answer due diligence directly and honestly: what we run, where it runs, and what controls are actually in place. We would rather describe real controls precisely than gesture at certifications we have not yet earned.
Related documents
DPA (auto-incorporated into the Terms), Sub-processors, AI Transparency Notice, Breach Response, Retention Schedule, Transfer Risk Assessment.
Questions: [email protected].
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.