Security & trust
Mani sits in front of your visitors and captures their contact details. Here is exactly how we handle that data, what we run today, and what is on the roadmap. We will not claim a control we don’t actually have.
Data we collect
- From your site: the public content Mani is trained on (pages, RSS, uploaded files). You decide what we ingest.
- From your visitors: chat messages, and — only when a visitor voluntarily fills the lead card — their name, email, phone, and the question that prompted the capture.
- From you: account email, billing identifiers (handled by Stripe, not stored on our servers in plaintext), and the destinations you wire Mani into (webhook URL, Slack channel, etc.).
Controls we run today
Every request to onmanifest.com and every embedded widget call is HTTPS-only. HSTS is on.
PostgreSQL volumes and object storage are encrypted at the disk level by our managed providers.
Every API call is scoped by your partner key. You can rotate the key from your dashboard at any time.
Outgoing webhooks are signed with a per-partner secret you can rotate. Verify on your end before acting on a payload.
Signup, chat, and API endpoints are rate-limited per IP and per partner to keep the embed honest under load.
Your widget only loads on the domains you list. A leaked snippet on a stranger’s site won’t answer.
We record dashboard actions that change configuration (member invites, key rotations, integration changes) so you can see who did what.
Email privacy@onmanifest.com for a per-visitor export or deletion request. We action it within 30 days.
Sub-processors
The third parties that touch your data when you use Mani:
| Vendor | Purpose | Data |
|---|---|---|
| AWS | Application hosting, database, object storage | All |
| Stripe | Subscription billing | Account email, payment method (tokenized) |
| OpenAI / OpenRouter | Generating chat answers | Chat messages and the page snippets used to answer them |
| Google Workspace | Lead notification emails sent on your behalf | Lead email, name, message snippet |
If we add or replace a sub-processor, we update this list before the change goes live.
Incidents
If we discover a security incident that affects your data, we will email the account owner within 72 hours of confirming it, with what happened, what we know, what data was involved, and what we’re doing about it. Status updates land at status@onmanifest.com.
Roadmap — not in production today
We list these openly so you know what we are working toward and can plan accordingly. We will not pretend they exist before they do.
- SOC 2 Type II — observation period planned, report not yet issued.
- Signed GDPR DPA — standard template available on request; portal-signed version is in progress.
- HIPAA-eligible deployment — not available; do not use Mani for PHI.
- SSO / SAML — in design.
Contact
Security questions, vulnerability reports, or data-handling questions: security@onmanifest.com. We read every email.