Identity & access
Workspace roles (owner, admin, developer, editor, viewer), MFA enforcement, refresh-token rotation, configurable session lockout, and a workspace-wide revoke-all-sessions action.
trust & security
Built for teams whose security review never gets skipped.
This page is the honest version: exactly what Convoship enforces today, where our data goes, how you can deploy, and what we have not yet done. If your evaluation needs more depth, send your security questionnaire and we will complete it.
Where we are on certifications
We are a new platform, and we will not claim a certification we do not hold. Convoship is not yet SOC 2, ISO 27001, or HIPAA certified. We would rather tell you that plainly than imply otherwise on a logo wall. What we can show you is the control set already enforced in every workspace, and a concrete roadmap toward formal attestation that we are glad to review with your security team.
Enforced today
- Postgres row-level security for tenant isolation
- MFA, role-based access, and session revocation
- Envelope-encrypted secrets vault (KMS-ready)
- Immutable, queryable audit log
- Encryption in transit (TLS) across all surfaces
- Sandboxed code execution with strict timeouts
On the roadmap
- SOC 2 Type II readiness and audit
- Formal sub-processor agreements and DPA template
- Customer-configurable data residency
- Penetration test by an independent third party
- Published status page and uptime history
We will update this page as each item ships — not before.
Controls in every workspace
Convoship was built for teams whose security review never gets skipped. Every workspace ships with the controls your auditors expect — no add-on tier, no add-on price.
Encrypted secrets
Workspace secrets vault with envelope encryption (Fernet today, KMS-ready). Tool nodes reference secrets by name — credentials never enter prompts, exports, or logs.
Row-level security
Postgres RLS enforces workspace isolation on every query. The app role cannot bypass RLS; cross-workspace data exposure is structurally impossible, not just policy-enforced.
Audit trail
Every mutation — agent edits, deployments, secret reads, member role changes — lands in an immutable audit log. Filter by actor, action, target, and time range — the audit evidence your security review will ask for.
Usage metering & budgets
Daily LLM spend caps per AI Agent, per-workspace conversation counts, and Prometheus metrics for runtime sessions, turns, and tool calls. No surprise bills, no silent failures.
Sandboxed code execution
Python nodes run with a strict per-node timeout and session-scoped variables only. No filesystem, no outbound network unless explicitly proxied through a tool node.
Data handling & sub-processors
We do not sell your data, and we do not use it to train models. The providers below process data on our behalf so the service can run. Voice providers only receive data when you enable a voice channel.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Anthropic (Claude API) | Flow extraction and runtime reasoning | Diagram content and conversation text sent at request time | United States |
| Amazon Web Services | Application hosting, PostgreSQL, Redis | All workspace data at rest | Configurable per deployment |
| Vercel | Marketing site and studio frontend hosting | Request metadata and edge logs | Global edge |
| Deepgram | Speech-to-text — only when a voice channel is enabled | Inbound call audio | United States |
| ElevenLabs | Text-to-speech — only when a voice channel is enabled | Outbound message text | United States |
| Resend | Transactional and notification email | Recipient name and email address | United States |
Deployment options
You choose where Convoship runs. Regulated workloads can stay entirely inside your environment.
Convoship cloud
Fully managed on our AWS infrastructure. The fastest path to production, with workspace isolation enforced by Postgres row-level security.
Self-hosted / VPC
Run the full containerized stack (FastAPI, Postgres, Redis) inside your own cloud account or VPC, including self-hosted vision endpoints for on-prem document import.
Hybrid
Keep data and runtime in your environment while using Convoship cloud for the studio, or split by workload. We design the boundary with you during onboarding.
Data retention & deletion
Workspace data is retained according to your configuration and our operational needs. You can request export or deletion of workspace data, and secrets are envelope-encrypted at rest and removed with the workspace. Deleting an agent removes its drafts, versions, and deployment tokens.
Responsible disclosure
Found a vulnerability? We want to hear from you before anyone else does. Email fayaz@convoship.org with details and reproduction steps. We will acknowledge your report and keep you updated on the fix.
Have a security questionnaire?
Send it over — we will complete it and walk your team through the architecture.