Account security
Accounts use authenticated sessions, encrypted passwords where password login is used, OAuth where enabled, and security verification such as Cloudflare Turnstile on public auth flows.
HTTPS and transport
Public and application traffic should be served over HTTPS in production.
Workspace access control
Access is organized by workspace and client identifiers, including client_id/workspace_id separation, roles, permissions, and workspace membership checks.
Secrets and credentials
Secrets, API keys, OAuth tokens, and integration credentials should be stored server-side or through protected credential systems. Public environment variables must not contain secret values.
Audit logs and monitoring
CallGen may keep technical logs, audit logs, security events, billing events, agent/tool execution metadata, and monitoring signals to detect failures and abuse.
Backups
Backups support continuity and disaster recovery and are retained on rolling schedules according to infrastructure configuration.
Vulnerability reporting
Report suspected vulnerabilities to security@gepetos.ai. Please include affected URLs, steps to reproduce, impact, and contact information. Do not access, modify, or exfiltrate data that is not yours.
This page is a product policy summary and baseline contractual notice. It should be reviewed by qualified counsel for your exact entity, jurisdiction, customer contracts, and regulated use cases.