FlexInbox
Home  ›  Security & KVKK
Security & privacy

Customer data is serious business, and we treat it that way

From multi-tenant isolation to encrypted sessions, from rate limiting to regular backups, we designed FlexInbox to protect your data. Your customer conversations are yours, and they stay yours.

WhatsApp and Telegram conversations in one panel, with authorized access.

The FlexInbox security approach

Three core principles: your data is yours, every company is isolated, transport is encrypted.

The business using the platform owns its own customer data. FlexInbox processes that data only to deliver the service, on the instructions of the business. We never sell your conversations for marketing and we do not expose them to third parties without your consent.

Each company's data is logically isolated within the platform. Through org-based query filters and authorization checks, one company can never reach another company's conversations, contacts or settings. This multi-tenant isolation keeps every customer inside their own space on shared infrastructure.

All traffic is encrypted with HTTPS/TLS, sessions are stored in httpOnly cookies that are closed to JavaScript, and they can be revoked instantly when needed. Security is not a layer added later; it is the foundation of the architecture.

Measures

Security measures that protect your data

Not abstract promises, but technical controls actually implemented in the platform.

Multi-tenant data isolation

Each company's data is logically separated. Thanks to org-based filters, one business cannot reach another's conversations, contacts or settings.

httpOnly cookie sessions + revocation

The session token is kept in a cookie closed to JavaScript. When needed, all sessions can be revoked instantly, so a stolen token becomes useless.

HTTPS/TLS encrypted transport

All traffic between the browser and the server is encrypted with HTTPS/TLS. Data never travels across the network as plain text.

Security headers

HSTS, content-type protection and other security headers close off common attack surfaces at the browser level.

Rate limiting and abuse protection

Rate limits are applied on login and API endpoints, suppressing brute-force attempts and automated abuse.

Regular backups

The database is backed up at regular intervals and a recovery plan is in place. In the event of a failure, your data can be restored.

Access and permission management

Only authorized people reach conversations, and only as much as they need.

In FlexInbox every conversation is visible only to authorized agents. Admin and agent roles make it clear who can access what; an agent only sees conversations on the lines assigned or granted to them.

Even when several users share a single number, the sender of every message is always clear. Thanks to assignment, open/closed status and per-line authorization, access control does not fall apart as the team grows.

  • Role-based permissions: Admin and agent roles define who can see and do what.
  • Authorized visibility only: Conversations are opened only to assigned or authorized agents.
  • Per-line authorization: Each line's access is managed separately; control stays with you as the team grows.

Privacy and data processing principles

We are transparent about why, how and how much of your data we process.

We process your data only to deliver the service: message delivery, CRM matching, AI replies and hosting. Some integration providers in this chain (WhatsApp, Telegram, Zoho CRM, Bitrix24, HubSpot, OpenAI) may process data on their own infrastructure; this sharing is limited to what the service needs to function.

When the AI agent generates a reply, only the content needed for that reply is sent to the model provider, and the knowledge base is yours. In line with GDPR and general privacy principles, we are transparent about processing purposes, legal basis and the rights of data subjects.

Security, frequently asked questions

Who are my conversations shared with?

Your conversations are shown only to your authorized agents. They are shared with third parties only as much as the service requires (message delivery, CRM matching, AI replies, hosting). They are never sold for marketing.

Can data leak from one company to another?

No. Each company's data is logically separated through multi-tenant isolation. With org-based query filters and authorization checks, one business can never reach another's conversations, contacts or settings.

Is my session secure?

The session token is kept in an httpOnly cookie closed to JavaScript and all traffic is encrypted with HTTPS/TLS. Sessions can be revoked instantly when needed, so a stolen token becomes useless.

Is my data backed up?

Yes. The database is backed up at regular intervals and a recovery plan is in place. Your data can be restored in the event of a failure.

What is your approach to privacy and data protection?

We process your data only to deliver the service, on your business's instructions. We are transparent about processing purposes, legal basis and data subject rights; you own your data.

Protect your data with confidence

Set up FlexInbox in minutes with multi-tenant isolation, encrypted sessions and regular backups. No credit card required.