Approved source control
Customers approve what the agent can use before publish, and noisy content like blogs can be excluded by default.
Security
Atithya should build trust without overclaiming compliance. V1 focuses on practical controls: approved sources, tenant separation, server-side keys, rate limits, usage caps, retention, deletion, incidents, and pause.
What matters
Atithya can say it is designed with controls. It must not claim HIPAA, SOC 2, ISO, or GDPR compliance until those programs are implemented and reviewed.
Customers approve what the agent can use before publish, and noisy content like blogs can be excluded by default.
Free supports one customer domain, Pro two, Plus five, and Custom as agreed. Demo and localhost are controlled separately.
AI keys stay server-side. Browser code should never expose secrets or private routing logic.
Pause the agent, preserve safe logs, diagnose the issue, fix configuration or knowledge, rerun QA, and republish.
Workflow
Security is framed as practical operating control, not big-company theater.
Practical trust controls
Customers approve the pages and documents the agent can use before publish.
Live agents answer only on approved customer, preview, and development surfaces.
Keys stay behind the gateway. Browser code never receives secrets or private routing logic.
Agent knowledge, leads, transcripts, and settings are scoped to the owning customer.
Request controls reduce abuse without making genuine visitors feel blocked.
Answer allowance and alerts keep spend predictable while lead capture remains available.
Out-of-scope prompts, unknown domains, and repeated suspicious activity are handled defensively.
The customer can pause an agent immediately while keeping a visitor-friendly handoff path.
Domain allowlist
Incident response
Data handling
Keep transcripts for analytics and quality review only as long as the customer policy allows.
Customer requests should remove leads, transcripts, source snapshots, and agent settings from the active workspace.
Response flow
Product principle
No formal HIPAA, SOC 2, ISO, or GDPR claims until the product, process, legal terms, and audits support those statements.