Trust & compliance

Configure operator-specific legal and subprocessor disclosure at build time (see environment variables below). Your executed Data Processing Agreement, order form, and privacy policy control legally.

Data Processing Agreement (DPA)

Processor commitments and how to obtain the customer DPA

BotPM processes workspace data on behalf of your organization when you use the service. Categories of data, purposes, security measures, subprocessors, and transfer mechanisms belong in your executed DPA and privacy notice—not solely on this page.

Operators: set NEXT_PUBLIC_TRUST_DPA_URL (optional PDF or policy URL) and/or NEXT_PUBLIC_TRUST_LEGAL_EMAIL for contact.

Subprocessors

Infrastructure and vendors that may process service data

No subprocessor list is configured for this deployment. Your vendor or account team can provide the current list. Operators publish it by setting NEXT_PUBLIC_SUBPROCESSORS_JSON at Next.js build time (JSON array of { name, purpose, region? }objects).

Security practices

Technical controls in the BotPM platform

HTTPS in production; optional HSTS when the API or Next.js host is TLS-only.
Multi-tenant isolation on the API (organization context on requests).
Rate limiting per client (Bearer or HttpOnly session cookie), tenant, and optional service API keys; Redis-backed limits when REDIS_URL is configured.
Structured logs favor correlation IDs and organization identifiers over raw PII.

Operators: see docs/SECURITY_COMPLIANCE_PLATFORM.md for headers, TLS, retention jobs, key rotation, and residency labeling (BOTPM_DATA_REGION_LABEL).

Back to sign in