Security and data ownership

Your support conversations are your business data. Store them in your system of record, apply your policies, and change vendors without exporting a decade of history.

Principles

Data ownership — conversations live in your backend, not ours.
Least privilege — integrations use scoped credentials with minimal permissions.
Tenant isolation — product slugs map to specific backends and installations.
Auditability — use your existing audit logs and retention policies.

Personal data handling

Support conversations often contain personal data. When you implement the Support SPI, you control storage — encryption, retention, and access controls — so you can meet internal compliance requirements directly.

Operational safeguards

Recommended practices for production use:

Run your SPI server behind TLS.
Use request authentication (see SPI docs) and rotate credentials regularly.
Log request IDs and status codes for debugging and correlation.
Apply rate limits and backpressure on message creation endpoints.