StartupCore

Security & Trust

Tenant isolation, API keys, origin validation, and data boundaries.

Security model

Tenant isolation

Every tenant's data and configuration is fully separated.

Workspace / environment isolation

Sandbox and production never share data.

Public vs secret keys

Widget keys are domain-scoped; server keys stay private.

Origin validation

Requests are checked against allowed domains.

Allowed domains

Lock down exactly where your widget can run.

Session tokens

Short-lived tokens scope each chat session.

Rate limits

Protect the platform and your usage from abuse.

Usage limits

Enforced at the API layer, not just the dashboard.

Audit logs

Track admin and tenant actions over time.

Data boundaries

Clear separation between platform, tenant, and end-user data.

Our security principles

All data encrypted at rest and in transit
Tenant data is logically and physically isolated
API keys are scoped to environments, not accounts
Allowed-domain checks happen at the API layer
Usage limits are enforced server-side
Session tokens expire automatically

API key types

pk_live_…

Public widget key

Safe to expose in frontend code. Scoped to allowed domains — requests from other origins are rejected.

sk_live_…

Secret server key

Never expose in frontend code. Use only in server-side environments to call authenticated API endpoints.

Questions about security?

Our team is happy to answer any security or compliance questions before you integrate.

Contact Sales