BETA LAUNCH — 50% OFF ALL PLANS FOR YOUR FIRST 3 MONTHS · APPLIED AUTOMATICALLY →
HOME

Security

Wassel connects your AI agent to your store. That only works if you trust how we handle access. Here is exactly how it works.

Real-time pass-through

Wassel relays each action between your agent and the connected service. It does not keep a copy of your orders, products, or customer records.

Encrypted credentials

The only thing we store per connection is the access token, encrypted at rest. It is used solely to make the calls your agent requests.

Least-privilege scopes

Each connection requests only the permissions its tools need. Sensitive scopes, like customer data, are opt-in and never default.

Revoke any time

Disconnect a service or uninstall the app and its stored token is deleted. You stay in control of access from your dashboard.

Architecture

Wassel is a stateless proxy. When your agent asks for an action, Wassel authenticates the request, calls the connected service's API, returns the result to your agent, and retains nothing. We do not warehouse your business data and we do not use it for advertising, profiling, or training models.

How credentials are protected

  • Access tokens are encrypted at rest in a dedicated secret store, separate from application data.
  • All traffic runs over TLS in transit, between your agent, Wassel, and the connected services.
  • Your Wassel workspace key is shown once and sent as a request header. Treat it like a password; you can regenerate it any time, which immediately invalidates the old one.
  • Inbound webhooks from connected platforms are verified by HMAC signature before any action is taken. An invalid or missing signature is rejected.

Permissions and consent

Every connection uses the least scopes its tools need. Scopes that touch sensitive data, such as customer records, are opt-in: you enable them explicitly, and they are never part of the default connect. You can review and revoke any connection from your dashboard, or from the connected service's own settings.

Sub-processors

Wassel runs on a small set of infrastructure providers, used only for hosting and secure storage:

  • Railway — application hosting
  • Supabase — database and encrypted secret storage
  • Cloudflare — edge delivery and network security
  • Freemius — billing and payment, as merchant of record

Data deletion

Disconnect an integration, uninstall the app, or delete your workspace, and the stored connection token is deleted. Because we hold no copy of your customer or order data, there is nothing further to erase. Full detail is in our Privacy Policy.

Reporting a vulnerability

If you believe you have found a security issue, email hello@wassel.cloud with the details and steps to reproduce. Please do not publicly disclose it until we have had a chance to respond. We do not pursue good-faith researchers who follow responsible disclosure.

Contact

Security questions: hello@wassel.cloud.