Any tool that talks to your customers touches sensitive data — names, order details, sometimes payment or health information. Before you connect a chatbot to real conversations, you need to know exactly how that data is protected, who can see it, and how long it sticks around. Here's what actually matters when evaluating a vendor's security posture, not just what's on their marketing page.
Data in transit and at rest
Encryption is the baseline check, but "we encrypt data" isn't specific enough — ask how.
Transport encryption
Confirm the vendor enforces TLS 1.2 or higher for every connection — the chat widget, the admin dashboard, and any API integrations. This should be table stakes; if a vendor can't confirm it in writing, that's a disqualifying red flag.
Encryption at rest
Stored conversation logs, embeddings, and uploaded documents should be encrypted at rest (AES-256 is the common standard). Ask specifically whether this applies to backups and to any third-party subprocessors (e.g. the vendor's own hosting or vector database provider) — encryption that stops at the primary database isn't the whole picture.
Compliance frameworks
Compliance certifications aren't a checkbox — they tell you what's actually been audited, by whom, and how recently.
SOC 2
A SOC 2 Type II report means an independent auditor tested the vendor's security controls over a period of time (not just a point-in-time snapshot). Ask for the report directly rather than trusting a badge on the website — legitimate vendors will share it under NDA.
GDPR
If you serve EU customers, GDPR compliance matters regardless of where your company is based. Check for:
- A signed Data Processing Agreement (DPA)
- Data residency options (EU-hosted data if required)
- A documented process for handling data subject access/deletion requests
HIPAA
HIPAA only applies if you're in healthcare and the chatbot might touch Protected Health Information (PHI). Most general-purpose chatbot vendors explicitly exclude this use case in their terms — if you're in healthcare, confirm a Business Associate Agreement (BAA) is available before you send any PHI through the tool, not after.
[!WARNING] Never paste real customer PII into a chatbot's training data or test environment unless you've confirmed in writing that the vendor's compliance posture supports it. Test environments are frequently held to a lower security bar than production.
Access controls
Encryption protects data from outside attackers; access controls protect it from your own team.
Role-based permissions
Conversation logs and admin settings should be scoped by role — not every teammate needs access to raw customer transcripts. At minimum, look for separate permission tiers for viewing conversations, editing the bot's configuration, and managing billing/account settings.
Audit logs
Ask whether the vendor logs who accessed what, and for how long those logs are retained. If someone on your team (or the vendor's) views a customer's conversation, you should be able to answer "who saw this and when" after the fact.
[!TIP] During a trial, create a second admin seat with restricted permissions and confirm the restriction actually works before rolling the tool out to your full team.
Data retention
Ask how long conversation data is retained by default, and whether you can configure shorter retention windows or request deletion on demand. A vendor that can't tell you a specific retention period — or that retains everything indefinitely with no deletion path — is a liability if you're ever asked to comply with a data subject deletion request.
Good answer: "90 days by default, configurable down to 30, deletion within 7 days of request."
Bad answer: "We keep it as long as needed for product improvement."Vendor security checklist
Use this as a quick pass/fail list before signing with any chatbot vendor:
- TLS enforced on all connections (widget, dashboard, API)
- Data encrypted at rest, including backups and subprocessors
- SOC 2 Type II report available on request
- DPA available if you serve EU customers
- BAA available if you're in healthcare and might touch PHI
- Role-based access control on conversation logs and settings
- Audit logs for admin/data access
- Clear, configurable data retention policy with a deletion path
Security isn't a one-time checkbox — revisit your vendor's compliance documentation annually as your own regulatory requirements evolve, and re-run this checklist any time you add a new integration that gives the chatbot access to more sensitive data.
Get new posts in your inbox
No spam. Unsubscribe anytime.