Security

Overview

Shabe AI Corp builds Shabe SaaS on modern cloud infrastructure with layered controls. This page summarizes how we approach security in the product as implemented today. It does not replace your own security review, DPA, or contractual commitments for enterprise customers.

Infrastructure & Hosting

• Application hosting: The web application is deployed on Vercel with HTTPS for user-facing traffic.
• Backend & data store: Core application data and logic run on Convex, including synced integration data and conversation history as described in our Privacy Policy.
• Authentication: User sign-in and session management are handled by Clerk.
• Vendor security: We rely on our providers' published security and compliance documentation. Customers should review those materials for certification and audit reports that apply to the underlying platform.

Encryption & Secrets

• In transit: Browser and API traffic uses TLS.
• At rest: Stored application data benefits from our database and hosting providers' encryption features.
• Integration tokens: OAuth and similar tokens are stored encrypted in our systems (for example using application-level encryption for sensitive token fields).
• Configuration: API keys and secrets are supplied via environment configuration and are not committed to source control.

Access Control & Identity

• Accounts: Access requires an authenticated identity from Clerk.
• Teams: Product features use team membership, roles, and entitlements to limit which integrations and capabilities are available.
• Third-party OAuth: Access to Google, Slack, and other connectors is scoped by the permissions you approve with each provider.

Application Security Practices

• Error monitoring: We use Sentry to capture errors and performance issues in the application. We configure handling to reduce sensitive data in reports where feasible.
• Product analytics: We use PostHog with session replay disabled in our client configuration.
• AI pipeline: We apply PII-oriented sanitization and response handling designed to limit unnecessary exposure of sensitive fields when data is sent to external model APIs.
• Logging: Operational logs support reliability and security investigations; retention is limited for routine logs as described in the Privacy Policy.

Background Processing

Scheduled sync, webhooks, and related workflows may run through Convex crons and, where enabled, Inngest or similar job infrastructure. Those components process the same classes of data needed to operate the Service.

Your Responsibilities

• Maintain strong passwords and enable MFA on your identity provider or Clerk where available.
• Review connected integrations and disconnect services you no longer use.
• Ensure your use of the Service complies with your company policies and applicable regulations.

Reporting Security Issues

If you believe you have found a security vulnerability, email info@shabe.ai with a clear description and steps to reproduce. We appreciate responsible disclosure.