Security isn't a feature we added. It's a design principle. The less data we hold, the less there is to protect — and the less there is to lose.
The most secure data is data that doesn't exist. Our tier structure reflects this: the Avatar tier is built around anonymization by default, and Avatar Enterprise retains nothing beyond the active session. Security and privacy are the same decision, made at the architecture level.
All data transmitted between end customers and Machine, between Machine and operator dashboards, and within our internal systems is encrypted in transit using TLS 1.2 or higher. Longterm stored data is encrypted at rest.
Billing and payment data is handled entirely by Stripe. We do not store, process, or transmit payment card information on our own systems.
Access to conversation data is restricted to personnel with a documented operational need — support, engineering when diagnosing a specific reported issue, and security review. Access is not granted by default and is not available to the broader team.
Operator dashboards are protected by authenticated sessions. Operators can only access data from their own deployments.
The data model varies by tier. This is a security property, not just a pricing distinction.
| Tier | Conversations anonymized | PII retained | Session-only option | Operator data access |
|---|---|---|---|---|
| Avatar | YES | Only if customer self-identifies | NO | Outcomes only |
| Avatar Pro | NO | Yes, associated with conversation | NO | Full conversation log |
| Avatar Enterprise | NO | Yes, under operator control | YES | Full log, operator-controlled retention |
In the event of a security incident affecting personal data, we will notify affected operators within 72 hours of becoming aware of the breach, consistent with applicable law. Our notification will describe the nature of the incident, the data affected, the steps we have taken, and any actions we recommend operators take.
To report a suspected security vulnerability, contact us at security@hellomachine.io. We respond to all security reports within one business day.
helloMachine uses a small number of third-party infrastructure providers to operate the service. We do not publicly disclose our infrastructure vendors, as doing so can itself create security surface. What we can say: all vendors are evaluated for security posture before use, data shared with vendors is limited to what's operationally necessary, and vendor agreements include data processing and confidentiality obligations.
SMS functionality is powered by a major US telecommunications infrastructure provider. Payments are processed by Stripe. Both are subject to their own published security programs.
If you discover a security vulnerability in helloMachine, please report it to security@hellomachine.io before disclosing publicly. We commit to acknowledging your report within one business day, working with you to understand and address the issue, and not taking legal action against good-faith security researchers acting within this policy.
We take security reports seriously and respond quickly.
WakaiCorp, Inc. · San Francisco, CA