Trust Center
Transparent visibility into how we protect your data
No badge wall. Real statuses — including the one we haven't earned yet — real controls, and every third party that touches your data.
Certified infrastructure
In placeEvery vendor in the stack holds SOC 2 Type 2 or equivalent (full list below).
GDPR-aligned practices
In placeData minimization, deletion on request, no selling or sharing, disclosed subprocessors.
MakoChat SOC 2 audit
PlannedWe won't show this badge until an independent auditor issues it. Until then: verify our practices below.
12
Controls
Safeguards running across our infrastructure and processes
6
Subprocessors
Every third party that touches data — fully disclosed
4
Data commitments
Plain-English promises about how data is treated
Controls
✓Encryption in transit (TLS everywhere)
Every connection — visitor chats, dashboards, APIs — runs over HTTPS. Strict-Transport-Security is enforced with a 2-year preloaded policy.
✓Mandatory two-factor authentication
Required on all administrative accounts. New admins must enroll within 7 days or the panel locks until they do.
✓Deny-by-default database access
Row-level security denies all direct access. Only our authenticated server reads or writes, and each business's dashboard can only ever see its own data.
✓Nightly off-platform backups
Full database export every night to separate storage infrastructure, 30 days retained — one system's failure can't take the data with it.
✓24/7 external uptime monitoring
An independent monitor outside our hosting provider checks the service every 15 minutes and alerts the team on failure.
✓Secret scanning on every code change
All commits are scanned for leaked credentials, with weekly full-history audits.
✓Automated dependency patching
Dependencies are reviewed and patched on a weekly automated schedule; the build currently reports zero known vulnerabilities.
✓Strict Content-Security-Policy
Enforced CSP, clickjacking protection, MIME-sniffing protection, and a locked-down browser permissions policy on every page.
✓Widget abuse protection
Per-business website allowlists, per-IP rate limiting, conversation caps, and monthly usage caps stop quota theft and bot abuse.
✓Bot protection on public forms
Cloudflare Turnstile verification on signup and contact forms, validated server-side.
✓Payment isolation
Card data never touches our servers — checkout runs entirely on Stripe (PCI-DSS Level 1).
✓Least-privilege email & alerts
Operational alerts and lead emails route into a staffed support desk; failures are logged and surfaced, never silent.
Data commitments
✓Never used to train AI models
Conversations are processed to generate replies and nothing else. No model training, ever.
✓Never sold or shared
Your data and your customers' data are not sold, rented, or shared beyond the subprocessors listed below.
✓Your leads belong to you
Conversations and leads captured by a business's widget belong to that business.
✓Deletion on request
Stored in the United States; deleted within 30 days of a verified request to support@makologics.com.
Subprocessors
| Vendor | Purpose | Their certifications |
|---|---|---|
| Vercel | Web hosting & serverless infrastructure | SOC 2 Type 2 |
| Supabase | Database (US East) | SOC 2 Type 2 · HIPAA-ready infrastructure |
| Retell AI | AI conversation processing | SOC 2 Type 2 · HIPAA-compliant platform |
| Stripe | Payments | PCI-DSS Level 1 |
| Resend | Transactional email delivery | SOC 2 Type 2 |
| Cloudflare | Bot protection & DNS | ISO 27001 · SOC 2 Type 2 |
Why no SOC 2 badge?
Because we haven't earned one yet, and trust pages shouldn't say otherwise. MakoChat is built and operated by Mako Logics LLC, a Texas managed-IT provider whose livelihood is protecting client systems. When MakoChat reaches the scale where an independent audit adds real assurance, we'll do it — and the badge will mean something.
Found a security issue? Email support@makologics.com with "Security report" in the subject — a human reads it the same day.