Security

Last updated: 2026-05-06

Data hosting

All clinic and patient data is hosted in the EU (Frankfurt) on Supabase Pro infrastructure. No production data leaves the EU at rest.

Encryption

TLS 1.3 in transit. AES-256 at rest. Patient phone numbers are stored as one-way hashes after the first contact; the plaintext number is held only for the duration of the active WhatsApp session.

Backups

Daily automated backups with 7-day point-in-time recovery. Weekly off-platform encrypted snapshots in a separate region. Backup restoration is tested quarterly.

Access control

Operator access via passwordless magic link plus TOTP 2FA. Hardware key (FIDO2) required for production database access. All production access is logged and reviewed weekly.

Monitoring

Six autonomous monitoring agents track system health, conversation quality, and security events around the clock. Anomalies are paged to the founder within 60 seconds.

Incident response

Documented runbook for each failure mode (auth outage, sub-processor outage, message-loss incident, suspected data breach). Customer notification within 24 hours of any breach affecting their data, per the DPA.

Sub-processors

See our subprocessor list.

Reporting concerns

Security concerns: security@replyion.com. We respond within 24 hours. Responsible-disclosure researchers are credited (with consent) on this page.