How cStar protects your data and your customers' data.

Data Protection

Encryption

  • All data encrypted in transit using TLS 1.3
  • Data encrypted at rest using AES-256
  • Passwords hashed with bcrypt

Access Control

  • Six-role permission system (Owner, Admin, Manager, Librarian, Agent, Spectator) with 26 granular permissions
  • Session management with automatic expiration
  • Cookie security: all authentication cookies use httpOnly, secure, and sameSite flags
  • Widget session tokens expire after 4 hours

File Uploads

Ticket and message attachments accept these MIME types up to 25MB per file (max 10 files per message):

  • Images: JPEG, PNG, GIF, WebP
  • Documents: PDF, DOC, DOCX, XLS, XLSX
  • Video: MP4, WebM, QuickTime
  • Text: plain text, CSV, JSON
  • Archives: ZIP

Community post attachments are restricted to images only (JPEG, PNG, GIF, WebP) up to 5MB per file. Public content has tighter limits because we host the bandwidth.

SVG uploads are blocked. SVG files can carry inline scripts and event handlers that execute when rendered, so we don't accept them as customer-facing attachments. Convert SVGs to PNG or WebP before uploading.

A list of dangerous extensions (.exe, .bat, .dll, .reg, etc.) is blocked outright. Filenames are sanitized against path traversal attacks.

Input Security

  • HTML content sanitized on import and in user-generated content (<script>, <iframe>, <object>, <embed>, <form> tags removed)
  • Inbound webhook signatures cryptographically verified in production using HMAC-SHA256
  • Outbound webhooks blocked from delivering to private network addresses (loopback, RFC 1918, link-local, *.local, *.internal) to prevent SSRF

Rate Limiting

  • Password reset endpoints rate-limited to prevent brute force
  • Widget authentication rate-limited
  • API endpoints enforce per-key rate limits (1,000/hour for secret keys, 100/hour for publishable keys)
  • Customer identity verification gates further attempts after repeated failures

Privacy

What We Collect

  • Account information (email, name)
  • Support ticket data you create
  • Usage analytics (anonymized)

What We Don't Do

  • Sell your data to third parties
  • Access your data without your permission
  • Store unnecessary personal information
  • Use your data to train AI models

Your Rights

You can:

  • Export all your data at any time. Owners and Admins use Settings → Team → Export. Managers can export via the API (export_data permission).
  • Request complete data deletion
  • Update your personal information
  • Control notification preferences

Compliance

  • GDPR compliant
  • Regular security reviews

Reporting Vulnerabilities

Found a security issue? Email security@cstar.help. We take every report seriously and will respond promptly.