Conwerz
Get started free

Security at Conwerz

Last updated: 18 April 2026

How Conwerz AI protects your data and Meta Platform Data: encryption, access control, token handling, monitoring, and incident response.

Encryption

  • In transit: TLS 1.2+ with modern cipher suites on every public and internal endpoint.
  • At rest: AES-256 for the primary database, object storage, and backups.
  • Meta tokens: envelope-encrypted with a KMS-managed data key. Plaintext tokens never touch disk.
  • Secrets: managed via the cloud provider's secret manager with automatic rotation.

Access Control

  • Least-privilege IAM roles for every service and engineer.
  • Mandatory SSO + MFA for all production access.
  • Break-glass access is audit-logged and time-boxed.
  • Customer data is isolated per tenant via tenant_id row-level scoping in every query path.

Application Security

  • Webhook signatures from Meta are verified before any processing.
  • Dependencies are scanned for known CVEs on every build; critical fixes are patched within 72 hours.
  • Static analysis (Ruff, TypeScript --strict) runs on every pull request.
  • Authentication uses Firebase-issued ID tokens verified server-side on every request.
  • All user input is parameterised; output is contextually escaped to prevent XSS.

Monitoring & Audit

  • Centralised structured logs with 90-day retention.
  • Administrative actions (connect / disconnect Meta assets, billing changes, role changes) are recorded in an immutable audit log.
  • 24/7 alerting on error-rate, latency, and anomaly signals.

Backups & Disaster Recovery

  • Automated encrypted backups taken daily, retained 30 days.
  • Point-in-time recovery on the primary database up to 7 days.
  • Cross-region copies for disaster recovery with a target RPO of 1 hour and RTO of 4 hours.

Compliance Roadmap

Conwerz is designed to the controls required by SOC 2 Type II and ISO 27001. Formal audits are in progress. We already operate to GDPR, India DPDPA 2023, and CCPA obligations through our Privacy Policy and DPA.

Incident Response

We operate a 24/7 on-call rotation. Confirmed security incidents affecting customer data are disclosed to affected Business Admins within 72 hours of confirmation, consistent with GDPR Article 33.

Responsible Disclosure

Found a vulnerability? Email security@conwerz.ai with reproduction steps. We acknowledge within 48 hours, coordinate a fix, and publicly credit reporters who request it. Please give us reasonable time to remediate before public disclosure.

Related policies

Other legal and compliance documents that govern your use of Conwerz AI.