Security policy

GoFER handles customer conversations, contact data, and knowledge bases for multiple businesses. Security is built into product design—not added after the fact. We aim for tenant isolation you can explain to your legal team, least-privilege access for our staff, and honest communication when something goes wrong.

GoFER is built on an API-first core (Go), with PostgreSQL for durable data, Redis for session and rate-limiting workloads, and separate Next.js applications for marketing, tenant workspace, and platform admin. Messaging channels (e.g. WhatsApp), CRM integrations, crawl workers, and AI inference connect through documented APIs and background jobs.

• Multi-tenant workspaces with scoped data paths—customer data is not commingled in application logic.
• Platform admin functions use separate authentication from tenant users.
• Secrets and keys are stored outside source code and rotated according to operational policy.

• Encryption in transit (TLS) for public endpoints and integrations where supported.
• Encryption at rest for production databases and object storage managed by our cloud providers.
• Role-based access inside workspaces; audit-sensitive actions where implemented.
• Backups and recovery procedures aligned with business continuity targets.
• Data retention configurable by plan and described in our Privacy policy.

Customer accounts authenticate via the tenant application. We encourage strong passwords and will support additional controls (such as enforced two-factor authentication) as they roll out per plan. Internal access to production systems is limited to personnel who need it, with logging and periodic review.

AI features send prompts and retrieved knowledge to infrastructure providers under contractual terms. We configure boundaries so workspace content is used to serve that workspace, not for unrelated training, unless you join a separate program with explicit consent.

Connected channels (WhatsApp Business API, Meta, Google, CRM vendors, etc.) have their own security models. You are responsible for securing channel credentials and reviewing their compliance posture.

• Dependency and image updates on a regular cadence; critical patches prioritized.
• Monitoring, alerting, and structured logs for availability and security events.
• Change management through version control, review, and staged deployment where feasible.
• Vendor risk review for subprocessors that store or process customer data.

• Protect account credentials and remove access for departed team members promptly.
• Configure escalation rules and knowledge boundaries appropriate to your industry.
• Ensure lawful collection of end-customer data and required privacy notices.
• Review integrations you enable and the permissions you grant to third parties.

We maintain procedures to detect, contain, and remediate security incidents. If we confirm unauthorized access to personal data that triggers notification duties, we will inform affected customers without undue delay and cooperate on required regulatory steps, consistent with our agreements and applicable law.

If you believe you have found a vulnerability in Gofer.support or GoFER, email security@gofer.support with a clear description, steps to reproduce, and impact assessment. Please allow reasonable time for us to investigate and remediate before public disclosure. We do not support unsolicited automated scanning that degrades service availability.

We appreciate good-faith reports and will acknowledge receipt. We may offer recognition at our discretion; we do not guarantee bug bounties unless a separate program is published.

Formal certifications (such as ISO 27001 or SOC 2) and detailed subprocessor lists are available on request for enterprise evaluations. Contact hello@gofer.support for security questionnaires and DPA reviews.

We may update this page as our practices mature. Material changes will be reflected in the “Last updated” date above.