BikriAgent Security Position

BikriAgent should never ask owners for Instagram, Facebook, WhatsApp, payment, Supabase, Vercel, or email passwords. Owners connect channels only through official provider authorization screens.

• Owner login is required before product, rule, channel, or order actions.
• Passwords must be strong and cannot reuse owner name, email, or phone number.
• Supabase Row Level Security separates each owner, business, customer, and conversation.
• Supabase service role key is server-side only and never exposed to frontend code.
• Meta passwords are never collected by BikriAgent.
• Meta webhook signatures are checked before live pipeline processing.
• Social channel tokens are encrypted before saving.
• Live auto-send has a global kill switch and per-channel emergency pause.
• Risky messages such as allergy, refund, payment issue, and angry complaints go to owner review.
• Product import, password reset, and social connection APIs have basic rate limits.

• Cloudflare WAF and bot rules on bikriagent.com.
• Cloudflare Turnstile on signup, password reset, and product import.
• Payment verification before real channel connection or auto-send access.
• Admin suspension dashboard for fake or abusive owners.
• Daily auto-send limits per owner and channel.
• Security alert emails for suspicious activity.
• Automated customer data deletion workflow.
• Regular backup and restore test.

A new owner should not get unlimited live access immediately. The safest launch model is login, email verification, payment verification, account status check, limited trial usage, and admin suspension if suspicious behavior appears.

Customer messages must stay tied to one owner, one business, one social channel, one customer, and one conversation. If a channel cannot be matched to exactly one connected owner, BikriAgent should stop instead of replying.