Trust
Security at Airclou
Your support desk holds your customers' conversations. Protecting that data is a design constraint on everything we build, not a feature we added later.
Last updated: July 12, 2026
Encryption in transit
Every connection to Airclou — browser, API, and widget — is encrypted with TLS. There is no unencrypted mode.
Tenant isolation
Every query is scoped to your tenant and workspace at the data layer. Cross-tenant reads are structurally impossible, not just forbidden.
Least-privilege access
Services and staff get the narrowest access that does the job — scoped database roles, scoped API keys, no shared superuser accounts.
Audit logging
Administrative and sensitive actions — sign-ins, permission changes, AI-taken actions — are recorded so you can see who did what, when.
Backups and recovery
Data is backed up on a regular schedule and restores are tested, so an infrastructure failure is an interruption — not a loss.
Responsible disclosure
Found a vulnerability? Tell us at support@airclou.com. We read every report and act on good-faith research, fast.
How we think about security
Airclou is a helpdesk with an AI agent that can read customer conversations and, when you allow it, act on them. That shapes our security model in two ways. First, the classic obligations of any business software: keep tenants isolated, encrypt data, control access, log what happens. Second, a newer one: an AI that can act must be governed like an employee — scoped permissions, approval gates, and an audit trail. This page describes both, in plain language. The Privacy Policy covers what data we collect and why; this page covers how we protect it.
Infrastructure security
Airclou runs on hardened cloud infrastructure. Databases are never exposed to the public internet — they accept connections only from the application services that need them, under dedicated per-service roles with the minimum privileges each service requires. Backend services run in isolated containers; host access is restricted to key-based SSH with no password authentication. Security patches for the operating system and runtime are applied on a regular cadence.
Data security
- Encryption in transit. All traffic between your browser and Airclou, between the embedded chat widget and our servers, and between our own services and external providers is encrypted with TLS.
- Credentials. Passwords are stored only as salted hashes — never in plaintext, never recoverable. API keys and service credentials are kept out of source control and rotated when exposure is suspected.
- Tenant isolation. Every workspace's data carries its tenant and workspace identity, and every query is scoped to both. The tenant is the hard security boundary: no code path reads across it without an explicit, logged administrative privilege check.
- Private files. Uploaded attachments are served only through an authenticated resolver that checks workspace membership before releasing a single byte — never from a public static directory.
Access control
Inside the product, access is governed by roles and permissions you control: who can see which inboxes, change settings, or manage billing. Inside Airclou the company, staff access to production follows least privilege — engineers use purpose-scoped accounts, administrative actions are logged, and access to customer content is limited to what supporting you requires.
Application security
Security is part of how we build, not a gate at the end. Changes are reviewed before they ship. Dependencies are scanned continuously and known-vulnerable packages are upgraded promptly. Secrets never live in the codebase. Input crossing a trust boundary — inbound email, public APIs, webhooks — is validated at the edge, and errors fail closed rather than open.
AI security and governance
Airclou's AI agent is the part of the product with the most power, so it gets the most guardrails:
- Scoped actions. The AI agent can only use the tools you have enabled, against the systems you have connected, inside the workspace it runs in.
- Approval gates. Actions that move money or can't be undone — refunds, plan changes — are gated behind explicit human approval unless you deliberately configure an auto-approval envelope, and every such write is idempotent so a retry can never double-execute.
- Full audit trail. Every AI run is recorded: what it read, what it decided, what it did, and why. Failures land in a visible state a human can act on — never a silent log line.
- No training on your data. Content processed by AI features is sent to the model provider only to produce the output you asked for, and is not used to train third-party foundation models.
Reliability
Databases are backed up on a regular schedule, and we test that backups actually restore. Services are monitored around the clock, with alerts routed to an engineer — including tripwires for the quiet failures, like an inbound-email channel that stops receiving. We deploy in small, reviewable increments so problems are small and rollbacks are fast.
Compliance
We handle personal data in line with GDPR: documented purposes, data minimization, support for access, export, correction, and deletion requests, and contractual commitments from every subprocessor. A data processing addendum is available to customers who need one — contact us.
We do not yet hold third-party certifications such as SOC 2 or ISO 27001. We would rather tell you that plainly than decorate this page with borrowed badges. When we complete an independent audit, this page will name it and link the report.
Reporting a vulnerability
If you believe you have found a security vulnerability in Airclou, email support@airclou.com with "Security" in the subject line. Include enough detail for us to reproduce the issue. We will acknowledge your report promptly, keep you informed as we investigate, and credit you if you would like us to.
We will not take legal action against research conducted in good faith: testing against your own workspace, no access to other customers' data, no service disruption, and giving us reasonable time to fix the issue before public disclosure.
Questions
Anything on this page unclear, or a question it doesn't answer? Write to support@airclou.com or use the contact page.