Security

Plan enforcement is backend-controlled

The dashboard hides locked features, but the backend must enforce all plan requirements. Never rely only on frontend checks.

Session

Supabase auth cookies/session state identify the user.

API

Scoped keys control external access.

Audit

Records keep support and compliance traceable.

Encryption model

SIMCOAI should be described as using high-level encryption controls: HTTPS/TLS for traffic, encrypted application secrets, provider-side encrypted storage and field-level encryption foundations for sensitive payloads where enabled.

Do not describe all SIMCOAI data as universally end-to-end encrypted. AI receptionist features require selected business, customer, order, booking and policy data to be readable by trusted backend services so the assistant can answer correctly.

In transitHTTPS/TLS protects browser, API, dashboard and webhook traffic.Always on

Secrets.env can be encrypted into .env.enc and loaded automatically by the backend.Server side

Sensitive fieldsAES-256-GCM field-level encryption helpers are available for payloads that do not need direct querying.Opt-in

API key rules

Show the secret once.
Store only hashed key material server-side.
Rotate exposed keys immediately.
Use minimum scopes for every integration.

Database rules

All public Supabase tables exposed to PostgREST should have RLS enabled or be removed from public exposure.

Legacy backup tables should not be exposed publicly. If retained, enable RLS and deny public access by default.

Billing behaviour

Stripe manages checkout, subscriptions, payment methods and customer portal sessions. Existing Stripe customers using tax ID collection must allow customer name updates where required by Stripe Checkout.

StarterChat, knowledge, orders, basic API.Entry plan

GrowthSetup AI, phone, memory, bookings and escalations.Main launch plan

ProHigher limits, advanced automation, more numbers.Scaling plan