Launch Special First 5 businesses get FREE setup. Use code LAUNCH5 at checkout View Pricing →

Security at Every Layer

From infrastructure to application code, we implement security best practices throughout our stack.

Encryption

All data is encrypted both in transit and at rest.

  • TLS 1.3 for all connections
  • AES-256 encryption for stored data
  • Fernet encryption for API keys
  • HTTPS enforced on all endpoints

Authentication

Industry-standard authentication practices.

  • bcrypt password hashing (12 rounds)
  • Timing-safe comparison functions
  • Secure token generation
  • Rate-limited login attempts

Infrastructure

Secure, modern infrastructure with automatic updates.

  • Containerized deployments
  • Regular security patches
  • Automated backups
  • DDoS protection

Rate Limiting

Protection against abuse and brute force attacks.

  • Per-endpoint rate limits
  • Daily usage caps
  • Authentication throttling
  • Redis-backed for scalability

Input Validation

Every input is validated and sanitized.

  • SQL injection prevention
  • XSS protection
  • Column name whitelisting
  • Strict type validation

Access Control

Role-based access with least-privilege principles.

  • API key authentication
  • Role-based permissions
  • Token expiration
  • Audit logging

HTTP Security Headers

Every response from our API includes security headers that protect against common web vulnerabilities.

X-Content-Type-Options X-Frame-Options X-XSS-Protection Strict-Transport-Security Content-Security-Policy Referrer-Policy

These headers prevent clickjacking, XSS attacks, MIME-type sniffing, and enforce HTTPS connections.

Our Security Headers

X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: strict-origin-when-cross-origin Strict-Transport-Security: max-age=31536000 Content-Security-Policy: default-src 'self'; ...

Verify these headers yourself using browser developer tools or tools like securityheaders.com

Widget Security Options

We offer multiple integration options to meet your security requirements.

Standard Script Embed

Our standard widget uses a lightweight JavaScript file loaded directly on your page.

Features:
  • Smallest footprint (~15KB gzipped)
  • Full customization options
  • SRI hash support for integrity verification
<script src="https://tailore.dev/widget/tailore-widget.js" integrity="sha384-[hash]" crossorigin="anonymous"></script>

Sandboxed Iframe Embed

For maximum isolation, embed the widget in a sandboxed iframe that cannot access your page's DOM or cookies.

Security Benefits:
  • Complete DOM isolation
  • No access to parent page cookies
  • Restricted to same-origin communication
  • Ideal for strict CSP environments
<iframe src="https://tailore.dev/widget/embed/{botId}" sandbox="allow-scripts allow-same-origin" style="border:none; width:80px; height:80px; position:fixed; bottom:20px; right:20px;" ></iframe>

Content Security Policy Configuration

If your site uses a Content Security Policy, add these directives to allow the Tailore widget:

Content-Security-Policy: script-src 'self' https://tailore.dev; connect-src 'self' https://tailore.dev wss://tailore.dev; style-src 'self' 'unsafe-inline'; frame-src https://tailore.dev;

The style-src 'unsafe-inline' is required for the standard embed. The iframe embed does not require this.

Data & Privacy

We collect only what's necessary and protect everything we store.

What We Collect

Our widget collects minimal data necessary for chatbot functionality:

  • Conversation messages - To provide responses
  • Session ID - Anonymous identifier (no cookies)
  • Page URL/title - For contextual responses
  • Browser language - For automatic translation

We do NOT collect: IP addresses for tracking, personal identifiers, cross-site tracking data, or third-party analytics.

Your Rights

Access

Request a copy of all data associated with your account

Deletion

Request complete deletion of your data at any time

Portability

Export your data in standard formats

Correction

Update or correct any inaccurate information

Privacy Compliance

GDPR - EU data protection ready
CCPA - California privacy compliant
Data Minimization - Only essential data
No Third-Party Tracking

Security Reporting

We appreciate the security research community and welcome responsible disclosure of any vulnerabilities.

If you discover a security issue, please report it to us privately. We commit to:

  • Acknowledging your report within 24 hours
  • Providing regular updates on our progress
  • Crediting you (if desired) once the issue is resolved
  • Not pursuing legal action for good-faith research

Report a Vulnerability

Please send security reports to:

[email protected]

Please include detailed steps to reproduce the issue and any relevant proof-of-concept code.

Questions about security?

We're happy to discuss our security practices in more detail. Contact us to learn more.

Contact Us View Security Docs