How we protect your data

🔒 Encryption in transit

All traffic between visitors, the widget, and our servers is encrypted over HTTPS/TLS. Data is never sent in clear text.

🧱 Tenant isolation

Every business is a separate tenant. Bookings, chat history and settings are scoped to a validated client identifier, so one business can never see another's data. Requests for unknown or malformed identifiers are rejected.

🔑 Secrets stay on the server

AI provider keys and notification credentials live only on the backend, never in the widget code that ships to browsers. The embeddable script contains no secrets.

🛡️ Abuse & prompt-injection protection

• Per-IP rate limiting protects against floods and runaway costs.
• Message length limits and input validation on every request.
• The assistant is hardened to treat user input and knowledge as data, refuse role/instruction overrides, and never reveal its system prompt.
• Honeypot and validation on lead forms to block bots.

🤖 Transparent AI

Visitors are clearly told they are talking to an AI assistant at the start of every conversation, by design — aligned with the EU AI Act and US bot-disclosure expectations.

🗄️ Reliable, persistent storage

Bookings and conversations are stored in a managed database with graceful degradation: if the database is briefly unavailable, the widget keeps working instead of failing the visitor.

📤 Your data, your rights

We support access, export and deletion of personal data on request, and we honor the Global Privacy Control (GPC) opt-out signal. We do not sell or share personal data. See our Privacy Policy for details and the full sub-processor list.

📣 Responsible disclosure

Found a security issue? Email mark.ai.ai.solutions@gmail.com and we'll respond promptly. Please give us a chance to fix it before public disclosure.