Security

Last updated: June 9, 2026

Automate Admits handles real conversations with real people, and we treat that data with care. This page explains the technical and organizational measures we use to protect it. Security is ongoing work, and we improve these practices over time.

Infrastructure

The Automate Admits application, database, and storage — including all protected health information (PHI) — run on Amazon Web Services (AWS), a HIPAA-eligible cloud platform, under a signed business associate agreement. PHI is stored in a private, encrypted database with no public network access. Our public marketing site and application front-end assets are delivered through Cloudflare's global edge network for DNS, CDN, and DDoS protection; no PHI is stored on or processed by Cloudflare. Each customer organization's data is logically isolated within our multi-tenant database and scoped to that organization on every request.

Encryption in transit

All traffic to and from the Service is served over HTTPS/TLS. Requests made over plain HTTP are redirected to HTTPS. Communication with the third-party services we rely on (such as our AI provider, payment processor, and email provider) likewise takes place over encrypted connections.

Authentication & access

Webhook verification

Incoming messages from Meta platforms arrive through webhooks. We verify the signature on these requests before processing them, so we only act on payloads that genuinely originate from the platform.

AI processing

To generate automated replies, conversation content and your configured agent instructions are sent over encrypted connections to our AI provider (Anthropic) to produce a response. You control whether automated replies are enabled and can take over any conversation manually at any time. See our Privacy Policy for details on how message content is processed.

Subprocessors

We use a small set of vetted service providers to operate the Service, each under contractual confidentiality and security obligations:

For customers handling protected health information, providers that process PHI do so under a business associate agreement or equivalent data-protection terms. See our Trust & Compliance page.

Data retention & deletion

We keep personal information only as long as it is needed to provide the Service, and then only as required for legitimate business or legal purposes. Customers can disconnect a channel at any time, and can request deletion of their account and associated data. End users can request deletion of their conversation data. Full details and contact addresses are in our Privacy Policy.

Your responsibilities

Security is shared. We recommend using a strong, unique password, limiting team access to those who need it, removing teammates promptly when they leave, and disconnecting channels you no longer use.

Reporting a vulnerability

If you believe you've found a security issue, please email hello@automateadmits.com with the details and steps to reproduce. We appreciate responsible disclosure and will work with you to confirm and address valid reports. Please don't access or modify other users' data, degrade the Service, or publicly disclose an issue before we've had a chance to fix it.