Security at Monqez AI

We treat your data the way we'd want ours treated.

Multi-tenant isolation. Encryption at rest. Bcrypt-hashed passwords. TLS 1.2+ with HSTS. Strict CSP. HMAC-signed unsubscribe. Every claim on this page is grounded in the production code — not aspirational marketing.

AES-256-GCM at rest bcrypt-12 passwords TLS 1.2+ HSTS CSP grade A GDPR-aware
Tenant isolation

Your data lives in its own room.

Every customer signed up to Monqez AI gets a logically isolated slice of the system. Concretely:

  • Database isolation: every row in every table is scoped by user_id. Backend queries always include this filter — there is no path in the API that returns another tenant's data.
  • Knowledge-base isolation: the AI brain that powers your departments is trained only on your products, your policies, and your conversations. It cannot see — and is not trained on — any other customer's data.
  • Integration isolation: the credentials you connect (your WhatsApp Business, your SMTP, your CRM) live encrypted in your row only. They are never shared, indexed, or used to power anyone else's workflows.
  • No shared-model training: your conversations are never used to train a shared model that other customers benefit from. Your data is yours.
Encryption

Encrypted at rest, encrypted in transit.

  • At rest: sensitive fields (integration tokens, SMTP credentials, API keys) are encrypted with AES-256-GCM, an authenticated cipher that detects tampering. The encryption key is held in a server-side environment variable, never in code, never in version control.
  • In transit: every request to monqezai.io is served over TLS 1.2+ with HSTS enforced for one year, which means browsers refuse to downgrade to HTTP.
  • Database backups: taken automatically, encrypted, and kept on rotating storage. Backups are tested periodically to confirm they restore.
Authentication

Passwords are never stored. Sessions are short.

  • Passwords are hashed with bcrypt at cost factor 12. Plain-text passwords are never logged, never stored, never sent.
  • Password resets use a one-time token sent by email — the actual password is never included in any communication.
  • JWT sessions are short-lived (7 days for customers, 12 hours for admins, 30 minutes for impersonation). Tokens are signed with a server-side secret and never persisted in the browser beyond an HttpOnly cookie / secure storage.
  • Admin access is segregated from the customer app — different routes, different auth tier, different audit trail.
Network & headers

Hardened browser surface.

We score grade A on securityheaders.com thanks to:

  • HSTS for 1 year with includeSubDomains.
  • Strict Content-Security-Policy limiting script and style sources to a tight allowlist.
  • X-Frame-Options: DENY + CSP frame-ancestors 'none' to block clickjacking.
  • X-Content-Type-Options: nosniff + Referrer-Policy: strict-origin-when-cross-origin.
  • Permissions-Policy disables every browser API we don't actively use (camera, mic, geolocation, payment, USB, FLoC, etc.).
  • Cross-Origin-Opener-Policy isolates the browsing context — Spectre-style cross-window leak protection.
Compliance

Email compliance is built in, not bolted on.

  • HMAC-signed unsubscribe: every Sales email carries a tamper-proof unsubscribe link. The token verifies the recipient + campaign on click; no per-link database row needed.
  • Opt-out enforcement: unsubscribed addresses are stored per-tenant and checked before every future send. Pending and approved drafts to opted-out addresses are auto-skipped.
  • SPF / DKIM / DMARC helpers: the dashboard walks customers through configuring their own sending domain for optimal deliverability. We send from your mailbox, not ours — which means you control your sender reputation.
  • GDPR-aware: data export and deletion are available on request. Right to be forgotten is honoured.
Responsible disclosure

Found something? Tell us — we'll listen.

We take security reports seriously and respond within 48 hours. Our disclosure policy lives at /.well-known/security.txt (RFC 9116) — please read it before testing.

Please don't run automated scanners against production without prior coordination — they create false-positive noise and can trip our rate limits. Email us first and we'll set up a window.
Report a security issue View security.txt
FAQ

Security questions, answered straight.

Is my customer data isolated from other Monqez AI customers?

Yes. Every customer has their own database row, their own knowledge base, and their own integration credentials. Queries are scoped by user_id on every read and write. We never share data across tenants and never train shared models on customer conversations.

How is data encrypted?

Sensitive fields (integration tokens, SMTP credentials, API keys) are encrypted at rest with AES-256-GCM using a key held in a server environment variable that is rotated periodically. All traffic to and from monqezai.io uses TLS 1.2+ with HSTS enforced for one year.

How are passwords stored?

Passwords are hashed with bcrypt at cost factor 12. Plain-text passwords are never logged, never stored, and never sent in emails — including password resets, which use a one-time token instead.

Are customer emails handled compliantly?

Yes. Every outbound Sales email carries an HMAC-signed unsubscribe link. Opt-outs are enforced before any future send — including across campaigns. The system is CAN-SPAM and GDPR-aware out of the box.

Where is data hosted?

On a dedicated VPS in the EU (Frankfurt region). Backups are encrypted. We use self-hosted infrastructure — your data is not on a hyperscale cloud unless you explicitly connect one via an integration.

How do I report a security issue?

Email am.khateeb@thechainex.io or fetch https://monqezai.io/.well-known/security.txt for our disclosure policy. We respond within 48 hours.

Trust starts with transparency.

Any other questions about how we handle your data? Reach the founder directly.

Ask on WhatsAppSee pricing