Skip to content

Security & Privacy

How HelpJet protects your bots and your data — prompt-injection defenses, response screening, encrypted credentials, access control, and what session data is collected from widget visitors.

On this page

Putting an AI bot in front of the public raises fair questions: can visitors trick it, can they extract your configuration, and what happens to the data they generate? This article describes the protections built into every HelpJet bot and is honest about what each layer does — and doesn't — cover.

Prompt-injection and jailbreak protection

Every message a visitor sends is screened before it reaches the AI model. Two layers run on every turn:

  • Per-message screening — the message is checked against known manipulation techniques: attempts to override the bot's instructions, extract its system prompt, or push it into an unrestricted mode.
  • Conversation-flow analysis — the recent conversation is examined as a whole, so escalating attempts spread across several messages, and rapid-fire repeated probing (a sign of automated attacks), are caught even when each individual message looks harmless.

When either layer triggers, the request is blocked and the visitor gets a polite redirect back to the bot's actual topic — no error dump, no hint about what was detected. Blocked turns are never billed as interactions.

We intentionally don't publish the detection specifics. The protections are updated over time and apply to every bot automatically — there's nothing to configure.

Response screening

Screening runs on the way out too. Before a reply reaches a visitor, it's checked for signs that the model is about to leak internal configuration — system instructions, tool details, or prompt contents. A reply that trips this check is replaced with a neutral fallback message rather than delivered.

This is a safety net, not a substitute for sensible training: don't put secrets (API keys, internal URLs, pricing you haven't published) into your training sources or custom prompt. Treat everything the bot is trained on as potentially visible to a determined visitor.

Domain allowlisting

Your embed code is visible to anyone who views your site's source. Allowed Domains (in the bot's General Settings) restricts which websites the widget will load on, so someone can't paste your embed code onto their own site and burn through your interaction allowance.

Credential storage

Some features require credentials for your other systems:

  • WordPress — if you connect a WordPress site with an application password or JWT for training, those credentials are encrypted with AES-256-GCM before they're stored, and decrypted only at the moment HelpJet fetches your content.
  • Password-protected sites — HTTP Basic auth or bearer-token credentials for protected training sources (set up with help from support) are encrypted the same way.
  • Help Scout — Help Scout Assist connects via OAuth, so HelpJet holds access tokens rather than your Help Scout password, and you can revoke access from Help Scout at any time.

Access control inside HelpJet

Who can see and change your bots is governed by two layers: organization roles (admin vs. member) and per-bot roles (owner, admin, editor, viewer). Members have no access to any bot until someone grants it. See Organizations & Team Members and Bot Permissions.

Sensitive account actions get extra protection: changing your password requires re-verifying your identity first (see Profile & Preferences), and billing changes are restricted to organization admins.

Usage limits as protection

Every organization has a hard interaction ceiling — its plan allowance plus any purchased credits, bounded by the auto-recharge spend cap if you use one. If something goes wrong (a scripted flood of messages, an embed on an unexpected site), spend can't run away unbounded: the bot stops responding when the pool is exhausted. Details in Understanding Interactions.

What data is collected from widget visitors

When a visitor chats with your bot, HelpJet records the conversation itself (visible to your team in the bot's Activity tab) plus session metadata:

Data

Examples

Location (derived from IP)

Country, city, timezone

Device & browser

Desktop/mobile/tablet, browser, operating system, language

Traffic source

Referring page, UTM parameters (source, medium, campaign)

Session details

Which domain the widget loaded on, message counts, response times

This exists so you can understand who your bot is serving and how well it's performing. A few boundaries worth stating plainly:

  • Visitors are never shown your interaction counts, plan, or any billing information — that stays inside your dashboard.
  • Visitors aren't asked to identify themselves to use the widget.
  • Anything a visitor types into the chat is stored as part of the conversation, so if your use case invites sensitive input, say so in your bot's welcome message and handle transcripts accordingly.

Common questions

Can a visitor extract my system prompt?

The input screening, conversation analysis, and response screening described above exist specifically to prevent this, and they block the common techniques. No defense against a probing attacker is absolute, though — which is why the practical rule is: never train a bot on anything you couldn't tolerate a visitor seeing.

Do blocked or failed messages count against my allowance?

No. Blocked attempts, errored replies, and duplicate turns are all excluded from billing — see Understanding Interactions.

Who at HelpJet can see my conversations?

HelpJet staff access customer data only for support and operational purposes. Within your own team, conversation access follows bot permissions.

How do I report a security issue?

Contact support from inside your HelpJet dashboard. Security reports are prioritized.

Was this article helpful?