Atithya AIPortal preview

Security

Source approval, domain controls, and instant pause from day one.

Atithya should build trust without overclaiming compliance. V1 focuses on practical controls: approved sources, tenant separation, server-side keys, rate limits, usage caps, retention, deletion, incidents, and pause.

P0pause-first incident posture
Agent live
Domain allowlist
Instant pause
Incident trail
Data deletion

What matters

Trust language must be accurate.

Atithya can say it is designed with controls. It must not claim HIPAA, SOC 2, ISO, or GDPR compliance until those programs are implemented and reviewed.

01

Approved source control

Customers approve what the agent can use before publish, and noisy content like blogs can be excluded by default.

02

Domain allowlist

Free supports one customer domain, Pro two, Plus five, and Custom as agreed. Demo and localhost are controlled separately.

03

API key protection

AI keys stay server-side. Browser code should never expose secrets or private routing logic.

04

Incident response

Pause the agent, preserve safe logs, diagnose the issue, fix configuration or knowledge, rerun QA, and republish.

Workflow

V1 controls

Security is framed as practical operating control, not big-company theater.

  1. Source approval
  2. Domain allowlist
  3. Server-side keys
  4. Tenant metering
  5. Rate limiting
  6. Usage caps
  7. Retention
  8. Deletion

Practical trust controls

Security is a customer-visible operating system, not a promise hidden in a footer.

Pause-first posture
Approved source control

Customers approve the pages and documents the agent can use before publish.

Domain allowlist

Live agents answer only on approved customer, preview, and development surfaces.

Server-side API key protection

Keys stay behind the gateway. Browser code never receives secrets or private routing logic.

Tenant isolation

Agent knowledge, leads, transcripts, and settings are scoped to the owning customer.

Rate limiting

Request controls reduce abuse without making genuine visitors feel blocked.

Usage caps

Answer allowance and alerts keep spend predictable while lead capture remains available.

Abuse prevention

Out-of-scope prompts, unknown domains, and repeated suspicious activity are handled defensively.

Instant pause

The customer can pause an agent immediately while keeping a visitor-friendly handoff path.

Domain allowlist

Plans define where the agent is allowed to answer.

Free1 customer domain
Pro2 customer domains
Plus5 customer domains
Customcustom domains
  • demo environment allowed
  • localhost only in development
  • unknown domains blocked
  • per-domain usage metering

Incident response

Severity is defined before something goes wrong.

P0unsafe answer, data leak, API abuse, wrong customer data
P1important hallucination, lead capture broken
P2UI issue or minor incorrect answer
P3copy/design issue

Data handling

Conversation retention and deletion need a visible workflow.

Conversation retention

Keep transcripts for analytics and quality review only as long as the customer policy allows.

Data deletion workflow

Customer requests should remove leads, transcripts, source snapshots, and agent settings from the active workspace.

Response flow

Every incident should create a diagnosis trail.

  1. pause agent if needed
  2. notify Sherry immediately
  3. preserve safe logs
  4. diagnose cause
  5. fix knowledge, guardrail, or config
  6. re-run QA
  7. republish
  8. send customer note if needed

Product principle

What Atithya does not claim yet

No formal HIPAA, SOC 2, ISO, or GDPR claims until the product, process, legal terms, and audits support those statements.

Check my launch controls