A customer-care person standing in the office with a notebook, thinking through the work.

Security

Security overview

Technical and organisational details for procurement, compliance, and security teams evaluating .

Everydecisiontheplatformmakesleavesanauditrecord
thatyoucanread,export,anddeleteatanytime.

Infrastructure security

Data centre Germany (EU). Network isolation Application services run on a private network. They have no public endpoint. All public traffic terminates at the load balancer. Firewall Inbound traffic is restricted at the cloud firewall to the load balancer and the operator VPN. Administrative ports are never exposed to the public internet. Database access Databases are reachable only from inside the cluster. They hold no public IP and accept no public connections. Operator access Administrative access requires a VPN restricted to operator IP ranges. SSH uses key-based authentication only; password authentication is disabled. Encryption in transit TLS 1.2 or higher on all external connections, terminated at the load balancer with an auto-renewed certificate. Encryption at rest AES-256 for all persistent storage volumes. Secrets management Dedicated secrets manager. Credentials are never stored in application databases. Internal services Service-to-service communication is authenticated with shared secrets. Internal endpoints are not reachable from external networks. Encryption key access Privileged access to encryption keys is restricted to authorized personnel with a business need. Configuration management Production configuration is managed through version-controlled infrastructure-as-code. Every change is reviewed and applied through a controlled pipeline. Production inventory A formal inventory of production system assets is maintained and kept in sync with the systems actually running in production.

Data handling

Data residency All processing and storage takes place in the European Union. Account isolation Every database query, cache key, storage path, and workflow execution is scoped to a single account. No data layer is shared between customers. Data retention Conversation data is retained for the duration of the contract. Customers can request data export or deletion at any time. Backups Daily volume snapshots, nightly encrypted database backups, and continuous transaction-log archiving. Point-in-time recovery is available with a window under one minute. All backup copies remain in the European Union. Data classification A documented data classification policy governs how customer data is handled, accessed, and retained based on sensitivity.

Access control

Authentication JWT-based sign-in for the dashboard. API keys for programmatic access, stored as SHA-256 hashes and scoped per call. Authorisation Role-based access control per workspace. The account boundary is enforced at every API layer.

Product security

Change management Production releases are driven from the main branch by automated continuous integration. No deploy bypasses the pipeline. Type safety The entire codebase is TypeScript with strict mode, exact optional properties, and no implicit any. Type errors fail the build. Automated tests Unit and integration tests run on every change. Code lands on the main branch only when tests pass. Dependency security Application dependencies are pinned with a lockfile. Security advisories from the upstream registry are tracked and updated through an automated dependency-update pipeline. Vulnerability and system monitoring Vulnerability management and system monitoring procedures are established. Application dependencies are tracked continuously against the upstream advisory database. Input validation Every request body is validated against an explicit schema at the API boundary. Requests that do not match are rejected before reaching application logic. Audit logging Operator actions that modify an account are recorded with actor, target, and timestamp. Audit records are retained for the duration of the contract.

Organizational security

Background checks Background checks are performed on new employees. Confidentiality agreements Employees and contractors sign a confidentiality agreement at engagement. Code of conduct Employees and contractors acknowledge a written code of conduct at engagement. Access lifecycle Access to production systems is provisioned per role and revoked on termination within defined SLAs. Security awareness Security awareness training is completed by every employee at engagement and on a recurring basis. Asset handling Company devices are inventoried, encrypted, and wiped at end of life.

Resilience

Continuity and disaster recovery A documented continuity and disaster recovery plan is maintained and tested at least annually. Backup and recovery policy A documented backup and recovery policy governs backup frequency, retention, and restoration. Service status A real-time service status page reports component health and incidents. View status Change communication Customers are notified of critical system changes that may affect their processing.

Compliance

GDPR The platform is built for GDPR compliance. Data minimisation, purpose limitation, and data subject rights are supported by design. DPA A Data Processing Agreement compliant with GDPR Article 28 is available for every customer. Read the DPA Privacy policy The full privacy policy describes what data is collected, how it is used, and how data subject rights are exercised. Read the privacy policy

AI transparency

Every reply produced by oHallo is supported by a structured record of how it was produced. The record is visible in the dashboard for operators and is also exposed over the API so that compliance and quality teams can pull it into their own systems.

Decision record Every agent decision is recorded with its inputs, the reasoning produced, the model used, and the result. One row per decision, scoped to the conversation that triggered it. Tool-call record Every call out to a connected system is recorded with the tool invoked, the arguments passed, the response received, and the policy decision that allowed it. Audit API Decision records and tool-call records are queryable per conversation via the public API. Exports can be retained and analysed in the customer's own environment. Dashboard inspector Operators can open any conversation and step through the full chain that produced the reply, including which knowledge entries and policies were consulted and how the reply was validated before delivery. Retention Audit records are retained for the duration of the contract and follow the same export and deletion rules as the underlying conversation data.

Subprocessors

The following third parties process customer data on behalf of oHallo customers.

Provider

Purpose

Amazon Web Services

Email delivery, object storage, and language model inference. Frankfurt, Germany.

ElevenLabs

Text-to-speech.

European Commission (VIES)

VAT number validation and company data.

Hetzner Online GmbH

Compute and storage infrastructure. Germany.

Kinde

Authentication and identity management.

SiliconFlow

Vision model inference and text embeddings.

Soniox

Speech-to-text.

Telnyx

Voice and SMS connectivity.

Incident response

Where a security incident affects customer data, affected customers are notified within 72 hours of detection, as required by GDPR Article 33. Post-incident reports are provided on request.

Vulnerability reports from researchers and customers are welcomed. Reports are accepted through the contact form and acknowledged on receipt. In-scope targets include the ohallo.eu marketing site, the platform dashboard, and the public API. Out of scope are denial-of-service tests, social engineering of staff, and any testing that would affect another customer's data.

We work with the reporter to validate and resolve the issue and confirm a remediation timeline. We do not pursue legal action against researchers acting in good faith within the scope defined above.

Security contact

To report a vulnerability or request additional security documentation, contact us.