Security

Our approach

Frydai is designed for e-commerce operators who connect real store, ad, and AI accounts. Security is built around isolation, least privilege, and explicit confirmation for high-impact actions — not a shared inbox or multi-tenant chat product.

Frydai is operated as a business of 187n.ai. This page describes our security practices at a high level; it is not a certification or audit report.

One operator per customer

• Each paying customer receives a dedicated runtime environment for their Frydai operator, provisioned separately at activation.
• Your operator runs inside your own Telegram bot — created by you via BotFather — not a shared Frydai bot used by multiple businesses.
• You control which Telegram user IDs may access the bot. Additional users can be managed from Settings.

Credentials and secrets

• API keys and tokens (OpenAI, Telegram, Shopify, Meta, Klaviyo, HiggsField, and others) are collected during setup or in the dashboard and stored to operate your environment.
• Credentials are held in our customer database and synced to your dedicated container configuration. They are not exposed in the marketing site or shared with other customers.
• Sensitive fields are masked in the dashboard UI. We recommend rotating keys if you suspect compromise.
• You bring your own OpenAI and optional provider keys — spend and usage on those platforms remain under your provider accounts and billing.

Confirm-gated actions

Skills that can spend money or publish externally (such as launching ads or sending customer messages) are designed to require your confirmation in Telegram before execution. Frydai is built to delegate work via chat, not to take irreversible commercial actions silently.

Application and infrastructure security

• HTTPS — the Frydai website and dashboard are served over encrypted connections.
• Security headers — including protections against clickjacking and MIME-type sniffing on web routes.
• Authentication — dashboard and setup access are gated by Whop-backed membership verification. API routes re-check session and subscription status before sensitive operations.
• Webhook verification — billing webhooks from Whop are verified using signed payloads before we update customer records.
• Fail-closed access — protected pages and provisioning endpoints deny access when membership or configuration checks do not pass.

Third-party dependencies

Frydai integrates with services you choose to connect — including Telegram, OpenAI, Whop, Shopify, Meta, Klaviyo, HiggsField, Apify, and Airtable. Each provider maintains its own security model and terms. You should review their documentation, enable appropriate account protections (2FA where available), and scope API tokens to the minimum permissions required.

Your responsibilities

• Keep your Whop login, Telegram account, and dashboard access secure
• Restrict bot access to trusted Telegram user IDs
• Use strong, unique API keys and revoke compromised credentials promptly
• Review AI-generated ads, copy, and operational actions before publishing
• Ensure your use of connected platforms complies with their policies and applicable law

Data location and subprocessors

Customer records are stored using Supabase. Operator containers and the Frydai web application run on managed hosting infrastructure. These providers may process data in multiple regions according to their own policies and our agreements with them.

Incident reporting

If you discover a security vulnerability or suspect unauthorised access to your Frydai account or bot, contact us immediately at hello@frydai.ai. Please include a description of the issue and steps to reproduce it where possible. We ask that you do not publicly disclose unresolved critical issues before we have had a reasonable opportunity to investigate.

Updates

We continuously improve Frydai's security posture as the product evolves. This page may be updated to reflect meaningful changes to our architecture or practices.

Contact

Security questions: hello@frydai.ai
Frydai — a business of 187n.ai