Security
Security built into the chat path
Conversations stay isolated from your site's scripts. Tokens are signed, domains are allowlisted, and abuse is rate-limited.
Controls
Iframe isolation
The chat UI runs on our origin inside an iframe. Your page's JavaScript never sees message contents.
Signed visitor tokens
Visitor sessions use signed tokens so history can't be spoofed or read across sites.
Domain allowlist
The widget only loads on domains you register — stolen site IDs don't work elsewhere.
Strict CSP & TLS
Transport is encrypted; content security policy limits what the widget and dashboard can load.
Rate limiting
Abuse and flooding are stopped at the edge before they reach your inbox.
Role-based access
Owners and agents have separate permissions for settings versus conversations.
Report a vulnerability
If you believe you have found a security issue in Lavenity, please tell us privately before public disclosure.
- Email hey{'@'}lavenity.com with a clear description and steps to reproduce.
- Include affected URL or component (widget, dashboard, API) and impact if known.
- Give us a reasonable window to investigate and ship a fix before sharing publicly.
We take reports seriously and will acknowledge receipt as soon as we can.
Security reports: hey@lavenity.com
For how we handle personal data, see the Privacy policy.