Security & Data Handling

Last updated: 21 June 2026 · For our full policy see the Privacy Policy

This overview explains how Replio hosts, protects, and handles the data businesses entrust to us. It's written for the security and compliance teams of the businesses that use Replio. For anything not covered here, contact hello@replio.live.

Hosting & infrastructure

Replio runs on Railway's managed cloud infrastructure. Application data is stored in a managed, access-controlled PostgreSQL database. Our hosting region is available on request.

Encryption

All traffic to and from Replio — the dashboard, APIs, channel webhooks, and the website chat widget — is encrypted in transit using TLS/HTTPS. Data at rest is held on our hosting provider's managed, encrypted infrastructure. Account passwords are hashed and never stored in plaintext.

Access control

Tenant isolation — each business's data is logically separated and accessible only to that business's authenticated team.
Authentication — dashboard sign-in uses email + password, with optional two-factor authentication (TOTP).
Role-based access — team members are scoped as owner / admin / agent, so you control who can view conversations or change settings and billing.

AI processing

AI replies are generated using Anthropic (Claude), with Voyage AI used to retrieve the right knowledge. These are API processors: your conversations are not used to train their models.

Sub-processors

We share data only with the providers needed to run the service: Anthropic and Voyage AI (AI), Railway (hosting), Resend (transactional email), Privy (only where a business enables crypto features), and the messaging platforms you connect (Telegram, Meta/WhatsApp). A current sub-processor list is available on request.

Data we hold for you

Conversations between your customers and the assistant (including any images sent), your knowledge base and settings, your team accounts, and the channel credentials you connect. We do not store full payment-card numbers.

Retention & deletion

We retain your data while your account is active. You can export or request deletion of your data at any time, and we honor deletion requests within 30 days. When an account is closed, its data is deleted within 90 days. End-users can ask the business they contacted to remove their messages. Self-serve deletion is available at replio.live/delete-account.html.

Compliance

Replio is not yet formally certified to SOC 2 or ISO 27001. We follow industry-standard security practices — TLS everywhere, hashed credentials, least-privilege access, tenant isolation, and reputable sub-processors — and can provide a Data Processing Agreement (DPA) on request.

Reporting & contact

For security questions, a DPA, or to report a vulnerability, contact hello@replio.live.

Replio · replio.live · hello@replio.live