Security posture for AI support teams.

Tinfiz is designed with workspace isolation, controlled AI Actions, and human approval flows for sensitive operations. This page explains the current security model clearly and without overclaiming.

Contact securityRead privacy policy

Workspace isolation

Customer conversations, knowledge sources, actions, and analytics are scoped to the active workspace.

Customer data ownership

Your organization owns the support data it adds to Tinfiz. We process it to provide the service.

Controlled automation

AI Actions use explicit endpoints, required parameters, allowlists, logs, and approval flows for risky operations.

Practical safeguards for support teams using AI.

Security for an AI support product is not only login protection. It includes workspace boundaries, safe AI grounding, controlled API actions, access roles, and clear incident reporting.

Data ownership

Your workspace owns the support content, contacts, conversations, and knowledge sources it adds.

Grounded answers

AI should answer from approved workspace context and avoid unsupported claims when evidence is missing.

Action approval

Sensitive write actions can require a human before the API request is executed.

Audit visibility

Logs, timeline events, assignments, and notifications make operational activity easier to review.

Workspace isolation

Tinfiz is built around organization-scoped workspaces. Conversations, contacts, knowledge bases, AI Actions, usage, and reporting are queried and guarded by workspace context.

  • Agents operate inside their active organization.
  • Server-side guards remain the final authority for protected operations.
  • Organization switching reloads workspace state so badges, limits, and permissions stay aligned.

Grounded AI and knowledge handling

Knowledge Base sources are used to help AI answer customer questions in the context of your organization. The goal is useful answers from approved support content, not unrestricted guessing.

  • Knowledge sources can be text notes, URLs, or documents.
  • Source health, indexed storage units, and re-index controls help teams keep answers current.
  • When no verified answer is available, the assistant should avoid pretending and can guide the customer toward human help.

AI Actions safety

AI Actions are designed for controlled API usage. Admins define the endpoint, method, required parameters, and safety settings before the AI can use an action.

  • Read actions can fetch approved data when required parameters are available.
  • Risky write actions should require human approval before execution.
  • Action logs capture status, failure reason, latency, request preview, and response output for review.

Secrets and domain allowlists

Secrets are kept server-side and masked in the UI. Domain allowlists reduce where AI Actions can send outbound requests.

  • Action secrets are not exposed to widget visitors.
  • Admins can rotate action secrets when credentials change.
  • Outbound allowlists help prevent accidental calls to unapproved domains.

Access control and team roles

Tinfiz separates workspace membership from customer conversations so teams can invite agents without giving everyone full administrative access.

  • Admin and agent roles support different workspace responsibilities.
  • Team permissions can limit access to sensitive operational areas.
  • Assignment, notes, timeline, and notifications help keep agent activity visible.

Billing and plan security basics

Billing state and plan limits are enforced server-side. Frontend labels help users understand access, but protected backend checks decide what can run.

  • Plan guards control channels, AI Actions, Agent Copilot, analytics, and usage limits.
  • Stripe handles payment collection and subscription checkout flows.
  • Usage limits are based on recorded activity, not removable UI records.

Direct answers for security review.

These are practical answers for teams evaluating workspace isolation, AI grounding, secrets, actions, and incident contact.

Does Tinfiz sell customer data?
No. Customer support data is processed to provide the product. Tinfiz is designed around workspace data ownership, not selling customer conversations or knowledge base content.
Can AI answer without verified knowledge?
The assistant is designed to avoid unsupported claims when approved workspace context is missing. Teams can review no-answer and low-confidence signals to improve the knowledge base.
Are action secrets exposed to widget visitors?
No. Action secrets are handled server-side and masked in admin UI. Widget visitors should never receive raw action credentials.
Can risky write actions run automatically?
Risky write actions should require human approval. Admins can use action safety settings, logs, allowlists, and approval queues to keep execution controlled.
Who should we contact for a security report?
Send details to security@tinfiz.ai. Avoid sending passwords, full API keys, or unnecessary customer data by email.

Report a security issue

If you believe you found a security issue in Tinfiz, contact us with enough detail to reproduce or assess the report. We will review and respond as quickly as we can.

security@tinfiz.ai

What to include

  • Describe what happened and when you noticed it.
  • Include affected workspace, domain, or user email if relevant.
  • Do not send passwords, full API secrets, or unnecessary customer data by email.
No system is 100% secure. This page describes the security posture Tinfiz is designed around and will be updated as the platform and controls mature.