Security at Switchbord
Enterprise-grade security isn't an add-on — it's built into every layer of the platform. From open-source transparency and end-to-end encryption to EU-only data residency and GDPR controls, you stay in full control of your data.
Security fundamentals
Six pillars that keep your data — and your customers' data — safe.
Open Source (AGPLv3)
Every line of code is public and auditable. No black boxes, no hidden logic. Licensed under AGPLv3 — fork it, inspect it, contribute back.
View on GitHubEncryption in Transit & at Rest
All data in transit is protected with TLS 1.3. Data at rest is encrypted with AES-256. Your messages and credentials are never stored in plain text.
EU Data Residency
Our cloud is hosted in Italy via the Supabase EU region. Your data stays within European borders at all times — no cross-Atlantic transfers.
GDPR Compliance
Built-in consent management, an immutable opt-out ledger, and configurable data retention controls. Designed for compliance from day one.
Workspace Isolation
Full multi-tenant isolation enforced at the database level. Each workspace operates in its own silo — no data ever leaks across tenants.
Secrets Vault
WhatsApp Cloud API tokens and AI provider credentials are stored exclusively in an encrypted Supabase Vault — never in plain columns or logs.
Tamper-evident audit trails
Every significant action in Switchbord — consent changes, message sends, credential updates, and workspace configuration edits — is written to an append-only audit log.
Logs are structured, timestamped, and tied to authenticated identities. This means you always know who did what, and when — making compliance reviews and incident investigations straightforward.
Append-only logs
Every action is recorded and cannot be modified or deleted.
Structured + timestamped
JSON-formatted entries with actor identity, resource, and timestamp.
Identity-linked
All entries are tied to an authenticated workspace member or system actor.
Compliance-ready export
Filter and export logs for regulatory reviews and incident reports.
Found a vulnerability?
We take security reports seriously. If you've discovered a potential vulnerability in Switchbord — whether in the open-source code or the hosted platform — please reach out to us privately before public disclosure. We'll investigate promptly and coordinate a fix.
We don't operate a formal bug bounty programme yet, but we deeply appreciate responsible researchers and will acknowledge your contribution publicly if you'd like.
Please include a clear description, reproduction steps, and any relevant environment details.
Want to dig deeper?
Browse the technical documentation for full details on encryption, data handling, and self-hosting security — or get in touch with the team directly.