Security — ConfigPilot

Data access

Read-only connector

ConfigPilot connects to your helpdesk using API credentials you provide. We only request read permissions — we cannot create, update, or delete any tickets, rules, or configuration in your instance.

What we read

We read ticket metadata (status, priority, group, agent assignment, SLA state, timestamps) and configuration objects (groups, agents, routing rules, SLA policies). We do not read ticket descriptions, comments, or any free-text content from conversations.

What we store

We store only pre-aggregated metrics — counts, rates, and distributions. Raw ticket data is fetched, aggregated in memory, and discarded. No individual ticket records are ever persisted to our database.

API credentials

Your helpdesk API key is encrypted at rest using Vault. It is never logged, never included in error messages, and never transmitted to third parties.

Authentication

Sign-in methods

ConfigPilot supports email/password and Google OAuth. Authentication is handled by Supabase Auth, which implements industry-standard security practices including bcrypt password hashing and secure session tokens.

Session management

Sessions are managed via short-lived JWT tokens with automatic refresh. All session tokens are transmitted over HTTPS only and are never exposed in URLs or logs.

Multi-member accounts

Accounts support multiple members with role-based access (Owner, Admin, Viewer). Each role has explicit permission boundaries enforced at the database level via Row Level Security.

Infrastructure

Application

Vercel

Edge network, auto-HTTPS

Database

Supabase

Postgres + pgvector, RLS

CDN / DNS

Cloudflare

DDoS protection, WAF

AI processing

ConfigPilot LLM

No training on data

Region

US East

Primary data residency

Encryption

TLS 1.2+

In transit and at rest

AI & data processing

What we send to AI models

Analysis through the ConfigPilot LLM contain only pre-aggregated metrics (counts, rates, group names, agent counts). We never send raw ticket text, customer names, email addresses, or any personally identifiable information to our AI model.

AI model training

We do not train models on API inputs by default. Your data is not used to train or improve any AI model.

Our commitments

We will never sell your data or your users' data to third parties
We will never write to your helpdesk instance without explicit action from you
We will notify you promptly in the event of any security incident affecting your account
We will not use your helpdesk data to build features for other customers
We will delete your data within 30 days of account closure upon request

Built to be trusted with your helpdesk data.