CAAC Go is operated by Crescendo Lab, the team behind a messaging & AI platform trusted by 800+ brands. Security isn’t a checkbox we add later — these are controls that are live in the product today. Below is a plain-language summary of how we protect your data and your visitors’ data.
Encryption
Traffic to CAAC Go is served over HTTPS/TLS. Sensitive credentials you connect — such as channel access tokens — are encrypted at rest using AES-256-GCM authenticated encryption, not stored in plain text. The encryption key is held in our secrets manager, separate from the database.
Tenant isolation & access control
- Every workspace is isolated. Data — knowledge sources, conversations, contacts — is scoped to your workspace, and access is enforced by role (owner / admin / member) on every request.
- Your widget runs only where you allow it.You can restrict your chat widget to an allowlist of domains, so a copied embed key can’t be used to run your agent on a site you don’t control.
Safe crawling (SSRF protection)
When the agent trains itself on your website, every URL it fetches — and every redirect it follows — is checked against a blocklist of private, internal, and cloud-metadata addresses before the request is made. This prevents the crawler from being pointed at internal infrastructure.
Abuse prevention
Sign-in codes, site training, the public demo, and widget endpoints are rate-limited per IP and per account to protect against abuse and runaway cost. AI usage is metered per workspace.
AI sub-processors
To generate replies we send the relevant conversation and knowledge context to third-party large-language-model providers (Google and Microsoft Azure OpenAI). We send only what is needed to produce an answer. We do notsell your data or your visitors’ data, and we don’t use it to train third-party models beyond generating your replies.
Data ownership, retention & deletion
Your content and conversations are yours. You can remove knowledge sources, export or delete contacts, and delete conversations from inside the product at any time, and request deletion of your account and associated data by contacting us. See our Privacy Policy for the full detail.
Infrastructure
CAAC Go runs on Google Cloud (Cloud Run and Cloud SQL) in a managed, access-controlled environment. Application secrets are stored in Google Secret Manager, never in source code.
Reporting a vulnerability
Found a security issue? We want to hear about it. Please reach us via Crescendo Lab and we’ll respond promptly. See also our Terms of Service and Privacy Policy.
This page describes controls that are in place today and is provided for transparency. For a formal security questionnaire or a Data Processing Agreement (DPA), contact us.