We take security seriously — not as a marketing checkbox, but because your customers' conversations deserve to be protected.
TLS 1.3 on all connections
AES-256 for stored data
Your data, your server
Full access trail retained
Least-privilege by default
All data transmitted between users, the Supplo widget, the dashboard, and our servers is encrypted using TLS 1.3 — the latest and most secure version of the transport layer security protocol. Older TLS versions (1.0, 1.1) and weak cipher suites are disabled at the server level.
Data stored on our servers — including conversation content, customer records, and account data — is encrypted at rest using AES-256, the same standard used by financial institutions and government agencies worldwide. Encryption keys are managed separately from the encrypted data.
Technical encryption specifications:
Supplo is built to be self-hosted. When you run Supplo on your own VPS, your customer data never leaves your server. There is no multi-tenant shared database — your conversations, contacts, and agent accounts are stored entirely within your own infrastructure.
This is a deliberate architecture decision. Most SaaS chat platforms store your customers' conversations on their shared infrastructure, which creates a single point of failure and a large target for attackers. With Supplo's self-hosted model, data is distributed across each customer's own server, reducing risk.
For customers on our managed cloud plan, data is hosted on dedicated, isolated virtual machines — not shared containers. Infrastructure is provided by Hetzner's ISO 27001-certified data centres in Germany, within the European Union.
Supplo enforces a strict least-privilege access model. Each team member in your organisation is assigned a role (administrator, agent, or read-only viewer) that limits their access to only what they need to perform their job.
Supplo maintains audit logs of all significant actions taken within the platform, including logins, conversation assignments, data exports, settings changes, and agent management actions. Audit logs are immutable, timestamped, and retained for 90 days. Administrators can view and export audit logs from the dashboard at any time.
Our infrastructure follows industry security best practices:
Supplo targets a 99.9% monthly uptime SLA for managed cloud customers. This is equivalent to less than 9 hours of downtime per year. In the event of an outage, we communicate status in real time. Planned maintenance windows are announced at least 48 hours in advance and are scheduled during off-peak hours.
For self-hosted deployments, uptime is dependent on the customer's own infrastructure. We provide documentation and support for setting up monitoring, process management (PM2), and automated restarts to maximise availability.
If you have discovered a potential security vulnerability in Supplo, we want to hear from you. We ask that you report it to us privately before any public disclosure, giving us reasonable time to investigate and address the issue.
To report a vulnerability: email support@supplo.io with the subject line "Security Vulnerability Report." Please include a description of the vulnerability, steps to reproduce it, and its potential impact. We will acknowledge receipt within 48 hours.
We are grateful to security researchers who help keep Supplo and our customers safe. While we do not currently operate a formal paid bug bounty program, we recognise and credit responsible disclosures in our release notes (with your permission) and commit to handling all reports with transparency and urgency.
Please do not: access or modify data belonging to other users, perform denial-of-service attacks, or disclose the vulnerability publicly before we have had a chance to address it.
For any security-related questions or concerns, contact us at support@supplo.io. For data protection and GDPR matters, visit our GDPR page.