Skip to content
Home / Support data controls that are clear enough to evaluate
Security overview

Support data controls that are clear enough to evaluate

This page describes the current architecture and its limits without claiming certifications or controls that have not been independently verified.

Data flow

  1. An email webhook or website widget maps a request to one organization.
  2. Ticket messages and configuration are stored in tenant-scoped Postgres tables.
  3. Relevant ticket text, conversation context, approved documentation, and response instructions may be sent to the AI provider.
  4. The resulting summary, category, confidence, sources, and draft return to the review queue.
  5. A person reviews, edits, asks for information, escalates, or explicitly approves.
  6. An approved reply is sent through the configured support channel and remains in the ticket history.

Vendors

Vercel

Hosts the Next.js application and server functions.

Supabase

Provides hosted Postgres, authentication, and optional tenant-scoped file storage.

Anthropic

Processes selected ticket and approved knowledge context for classification and draft preparation through its commercial API.

Postmark

Processes inbound and outbound support email.

Stripe

Processes subscriptions and billing events. AppsResolve does not receive full payment-card details.

Read the current integration boundaries.

AI processing

Anthropic receives only the selected ticket and knowledge context required for a processing request. AppsResolve does not train its own models on customer content. Anthropic states that commercial API content is not used to train its models unless a customer explicitly opts into its Development Partner Program. Anthropic publishes a standard API retention period of up to 30 days, subject to its documented agreements, policy-enforcement, and legal exceptions.

Customers can define restricted topics and should avoid placing secrets, payment-card data, private keys, or unnecessary sensitive data in support messages or knowledge content. Managed-service reviewers can access in-scope tickets and approved documentation only to deliver the agreed service.

Access controls

Supabase Auth handles sessions. Organization access requires an explicit membership record. Tenant-scoped queries carry an organization context and Postgres row-level security policies provide a database boundary. Operator routes use a separate allowlisted identity. Access can be revoked by removing organization membership or operator authorization. Ticket, draft, and AI activity records provide workflow history where implemented.

Data retention

Ticket and knowledge data is retained while an account is active so the support history remains usable. Automated retention schedules, self-service exports, self-service account deletion, and backup-restore reporting are still being developed. Export, deletion, and account-closure requests are handled manually through support@appsresolve.com after identity and scope verification.

Encryption

Production browser traffic uses HTTPS. Hosted providers document encryption for their managed services, but AppsResolve has not completed an independent encryption-control audit and does not claim a separate proprietary encryption layer.

Incident reporting

Report a suspected security or privacy issue to support@appsresolve.com. Include the affected organization, approximate time, and a description that avoids unnecessary sensitive data. ND SOFT will acknowledge the report and coordinate next steps. No fixed acknowledgement time or service-level guarantee is claimed yet.

Compliance status

AppsResolve does not currently claim SOC 2, ISO 27001, HIPAA, PCI DSS certification for the application, or another formal security certification. Stripe handles card payment data in its own environment. Security documentation and controls will be updated as the product and customer requirements mature.