Access Control
Secure sessions, MFA, owner/admin/manager/agent/viewer roles, and policy checks protect account, CMS, lead, and integration workflows.
Workspace owners should keep MFA enabled for privileged users, remove inactive users, use least-privilege roles, and avoid sharing admin credentials.
Service Design
The production service uses HTTPS for public traffic, isolated service boundaries, and controlled integration paths for lead sources and destinations.
Data Protection
MFA secrets, notification secrets, and outgoing webhook signing secrets are encrypted at rest. Sensitive lead fields are mirrored into encrypted storage for future redaction workflows, and audit logs record account and integration changes.
Integration Security
Webhook secrets, chat webhooks, CRM tokens, SMS/WhatsApp/voice bridge URLs, and customer-owned destination credentials should be treated like passwords. Rotate exposed secrets immediately and test every destination after rotation.
Monitoring
Health endpoints, public uptime checks, alert delivery logs, webhook retry history, and backup procedures support incident response and operational continuity.
Backups and Recovery
Production backups run on a schedule. Restore procedures are maintained so recovery can be tested safely before production use.
Incident Response
When a security issue is reported or detected, the response should prioritize containment, log review, credential rotation, customer communication where required, remediation, and follow-up prevention work.
Responsible Disclosure
Security concerns can be reported to admin@instachime.com. Please include affected URLs, steps to reproduce, and the impact you observed.
Related documents: Privacy Policy, Data Processing Addendum, and Terms of Service.