Need help? Talk to Fred. The chatbot that listens.
Get Fred
Login

Built for regulated industries.
Secured like it.

SVA handles sensitive conversations in healthcare, finance, legal, and insurance. Security isn’t a feature—it’s the foundation everything else is built on.

GDPR

CCPA

LGPD

PIPEDA

Security architecture at a glance

Your data stays yours

BYOAPI architecture means conversations flow through your API keys. We don't store or access your AI provider data.

Encrypted everywhere

256-bit encryption for data at rest. TLS 1.3 for data in transit. API keys salted and hashed.

Global privacy compliance

Built-in consent handling for GDPR, CCPA, LGPD, and PIPEDA. PII scrubbing before storage.

Complete audit trail

Every conversation, every action, every security event logged and exportable for compliance review.

Where your data lives—and doesn't

What we store

  • Conversation transcripts (with consent)
  • Lead data synced to your CRM
  • Intent analysis results
  • Widget configuration
  • Guardrail rules and violation logs

What we don't store

  • AI provider API keys (encrypted, never readable)
  • Raw AI model responses (processed in memory, not persisted)
  • Payment information (handled by payment processor)
  • Conversation data without consent

BYOAPI Architecture

When visitors talk to SVA, requests go directly to your AI provider using your API keys.

We route the request, but the AI processing happens on your account.

This means: Your rate limits. Your usage dashboard. Your data relationship with the provider.

We can’t see your AI conversations because they’re not ours to see.

Privacy by design

GDPR (Europe)

  • • Consent prompt before data collection
  • • Right to access: Users can request their data
  • • Right to deletion: One-click data removal
  • • Data portability: Export in standard formats
  • • No data processing without explicit consent
  • • Data Processing Agreement (DPA) available

CCPA (California)

  • • "Do Not Sell My Information" compliance
  • • Right to know what data is collected
  • • Right to delete personal information
  • • Opt-out mechanisms built in

LGPD (Brazil)

  • • Consent-based data collection
  • • Purpose limitation enforced
  • • Data subject rights supported

PIPEDA (Canada)

  • • Meaningful consent collection
  • • Limited collection principle
  • • Individual access rights

Need a specific compliance document? Contact us.

Sensitive data gets scrubbed

Standard Mode

  • Automatically removes from stored transcripts:
  • • Email addresses
  • • Phone numbers
  • • Credit card numbers
  • • Social Security Numbers
  • • Other payment details

Strict Mode

  • Everything in Standard, plus:
  • • Names softened or anonymized
  • • Addresses generalized
  • • Any detected PII flagged and scrubbed

For industries with heightened sensitivity requirements.

You choose the mode. SVA enforces it automatically.

Encryption everywhere

Data at Rest

  • • 256-bit AES encryption
  • • API keys salted and hashed
  • • Database encryption enabled
  • • Backup encryption enabled

Data in Transit

  • • TLS 1.3 for all connections
  • • HTTPS enforced (no HTTP fallback)
  • • Certificate pinning for API connections

Key Management

  • • Your API keys encrypted before storage
  • • Decrypted only in memory during requests
  • • Never logged, never visible in admin panels

You choose the mode. SVA enforces it automatically.

Who can access what

Your Team

Admin: Full configuration access, conversation review, guardrail management

Manager: Conversation review, analytics, limited configuration

Viewer: Read-only conversation access

Role-based permissions configurable per installation

Our Team

  • • No access to your conversation content by default
  • • Support access requires explicit permission grant
  • • All support access logged in audit trail
  • • Access automatically revoked after support session

AI Providers

  • • Governed by your agreement with OpenAI/Anthropic/Google/xAI
  • • We don't add any data sharing beyond what you configure
  • • Your API keys = your data relationship

Stopping bad actors before they start

Rate Limiting

  • • Plan-based limits prevent runaway costs
  • • Per-IP limits stop individual bad actors
  • • Automatic throttling during unusual spikes
  • • Legitimate users unaffected

Bot Detection

  • • Behavioral analysis identifies non-human traffic
  • • Suspicious patterns flagged automatically
  • • Repeat offenders get increasing timeouts
  • • Scrapers and abuse attempts blocked

Threat Monitoring

  • Real-time monitoring for:
  • • Request bursts
  • • Authentication failures
  • • Nonce reuse attempts
  • • Suspicious user agents
  • • Known bad IP addresses

Automatic response: throttle → block → ban

Jailbreak Prevention

  • • Constitutional AI rules can't be overridden by user input
  • • Prompt injection attempts detected and blocked
  • • Guardrails enforced at system level, not prompt level

Receipts for everything

Security Events Logged

  • • Failed authentication attempts
  • • Configuration changes
  • • Guardrail violations
  • • Rate limit hits
  • • Blocked requests
  • • Admin access
  • • Data exports
  • • Data deletions

Conversation Logging

  • • Full transcript (with consent)
  • • Timestamp
  • • Duration
  • • Intent detected
  • • Sentiment analysis
  • • Violations triggered
  • • Lead data captured

Compliance Reports

  • • Weekly security summary available
  • • Exportable to CSV
  • • Filterable by date, event type, severity
  • • Ready for compliance review or audit

Guardrails aren't just compliance—they're security

Constitutional AI prevents your assistant from being manipulated into harmful responses.

Unlike prompt-based instructions, constitutional rules can’t be jailbroken.

Even if a bad actor tries to trick SVA into giving medical advice, legal counsel, or financial recommendations—it physically can’t.

Your brand is protected. Your liability is reduced. Your compliance team sleeps better.

Learn more about Constitutional AI  🠆

Where SVA runs

Hosting

  • • Cloud infrastructure
  • • Geographically distributed
  • • Auto-scaling for traffic spikes
  • • 99.9% uptime target

WordPress Plugin

  • • Runs on your WordPress installation
  • • No external iframe or third-party widget hosting
  • • Your server, your control

Backups

  • • Daily automated backups
  • • Encrypted backup storage
  • • Point-in-time recovery available

If something goes wrong

We maintain an incident response plan for security events.

Affected customers notified within 72 hours of confirmed breach.

Post-incident reports available for significant events.

Security contact: security@simpleaisystem.com

Documentation for your team

Data Processing Agreement (DPA)

Security whitepaper

SOC 2 report (in progress)

Privacy policy

Terms of service

Subprocessor list

Need something specific? Contact us and we’ll provide it.
Request Compliance Documents

Want us to handle it?

Do you train AI models on my conversation data?
No. Your conversation data is never used to train any AI models. It stays in your account for your use only.

.

Conversation data is stored in encrypted cloud infrastructure. Your AI provider data is governed by your relationship with that provider (OpenAI, Anthropic, etc.).
Not by default. Support access requires your explicit permission, is logged, and is revoked after the session.
All your data is permanently deleted within 30 days. We can expedite on request.
We are pursuing SOC 2 Type II certification. Contact us for our current security documentation.
We follow industry-standard incident response. Affected customers are notified within 72 hours of confirmation. Full post-incident reports provided.
Yes. Contact us to schedule a security review call or request our security questionnaire responses.
SVA is designed with HIPAA-aligned controls: encryption, access controls, audit logging, and consent handling. For covered entities, we can execute a BAA (Business Associate Agreement). Contact us to discuss your specific requirements.

Questions about security?

Our team is happy to walk through security requirements with your compliance or IT team.

Contact Security Team
Request Documentation