Security
Automate Admits handles real conversations with real people, and we treat that data with care. This page explains the technical and organizational measures we use to protect it. Security is ongoing work, and we improve these practices over time.
Infrastructure
The Automate Admits application, database, and storage — including all protected health information (PHI) — run on Amazon Web Services (AWS), a HIPAA-eligible cloud platform, under a signed business associate agreement. PHI is stored in a private, encrypted database with no public network access. Our public marketing site and application front-end assets are delivered through Cloudflare's global edge network for DNS, CDN, and DDoS protection; no PHI is stored on or processed by Cloudflare. Each customer organization's data is logically isolated within our multi-tenant database and scoped to that organization on every request.
Encryption in transit
All traffic to and from the Service is served over HTTPS/TLS. Requests made over plain HTTP are redirected to HTTPS. Communication with the third-party services we rely on (such as our AI provider, payment processor, and email provider) likewise takes place over encrypted connections.
Authentication & access
- Passwords are never stored in plain text. They are kept only as a salted hash, so the original password cannot be recovered from our records.
- Sessions are maintained with a secure session cookie; we do not use advertising cookies.
- Least privilege. Access to systems and customer data is limited to the people who need it to operate and support the Service.
- Channel tokens used to send and receive messages on a connected Facebook Page or Instagram account are stored to operate the Service and can be revoked by disconnecting the channel at any time.
Webhook verification
Incoming messages from Meta platforms arrive through webhooks. We verify the signature on these requests before processing them, so we only act on payloads that genuinely originate from the platform.
AI processing
To generate automated replies, conversation content and your configured agent instructions are sent over encrypted connections to our AI provider (Anthropic) to produce a response. You control whether automated replies are enabled and can take over any conversation manually at any time. See our Privacy Policy for details on how message content is processed.
Subprocessors
We use a small set of vetted service providers to operate the Service, each under contractual confidentiality and security obligations:
- Amazon Web Services (AWS) — application hosting, database, and object storage; where PHI is stored and processed, under a business associate agreement.
- Cloudflare — public website and application static-asset delivery, DNS, and CDN/DDoS protection; no PHI.
- Twilio — transport and delivery of SMS and voice messages, including call recording; the message and call content is stored and processed by us on AWS.
- Anthropic — AI processing of message content to generate replies.
- Square — payment processing for customer subscriptions.
- Resend — delivery of transactional and service emails.
- Meta Platforms — to receive and send messages through Facebook and Instagram.
For customers handling protected health information, providers that process PHI do so under a business associate agreement or equivalent data-protection terms. See our Trust & Compliance page.
Data retention & deletion
We keep personal information only as long as it is needed to provide the Service, and then only as required for legitimate business or legal purposes. Customers can disconnect a channel at any time, and can request deletion of their account and associated data. End users can request deletion of their conversation data. Full details and contact addresses are in our Privacy Policy.
Your responsibilities
Security is shared. We recommend using a strong, unique password, limiting team access to those who need it, removing teammates promptly when they leave, and disconnecting channels you no longer use.
Reporting a vulnerability
If you believe you've found a security issue, please email hello@automateadmits.com with the details and steps to reproduce. We appreciate responsible disclosure and will work with you to confirm and address valid reports. Please don't access or modify other users' data, degrade the Service, or publicly disclose an issue before we've had a chance to fix it.