Security

Give every visitor a real-time trust score, automatically flag or block suspicious activity, and review borderline visitors — all from one dashboard.

Overview

Security gives every visitor a trust score from 0 to 100 — think of it as a credit score for the person on the other end of the chat. The score is calculated in real time from a set of built-in signals that look at behaviour, identity, and bot-like activity. Where a visitor's score lands decides whether they chat normally, get flagged as low trust, or are automatically blocked.

Security is available on the Growth plan and any plan that includes the Security add-on. If your plan doesn't include it, the Security section won't appear in your dashboard and no scoring runs. Blocking a visitor manually from the inbox is a separate action that works on every plan.

Key concepts

Trust score

Every new, anonymous visitor starts in the neutral middle at 50. From there:

  • Risk signals push the score down — attack tools, suspicious URLs, bot-like activity, or weak identity hints (like a disposable email).
  • Trust signals push the score up — a real email on file, an account that has been around for a while, or a known customer.

Weak risk flags fade after 30 days if the behaviour stops, proof of an attack is permanent, and trust a visitor has earned stays with them. Genuine search engine crawlers (Googlebot, Bingbot, and the like) are filtered out before scoring and never appear here.

The two lines and three zones

You set two threshold lines that split the 0–100 scale into three colour-coded zones:

ZoneWhere the score sitsWhat happens
🟢 TrustedAt or above the low-trust lineChats normally, no friction
🟡 Low trustBetween the two linesCan still chat; simply flagged as low trust
🔴 BlockedBelow the block lineAutomatically blocked from chatting

You can move both lines yourself, or pick a one-click protection preset, on the Policy page.

Trust band and team decisions

Security works on two layers:

  • Trust band (passive) — derived straight from the score, this is awareness only. A visitor sits in one of three bands — Trusted, Low trust, or Blocked — based on where their score lands. A low-trust visitor is never pushed at anyone to "decide" on; they can still chat.
  • Team decision (durable) — an optional, lasting choice your team makes that overrides the band:
    • Allowed — a permanent exemption. This visitor is never auto-blocked again, even if their score later drops into the low-trust or blocked range.
    • Blocked — this visitor is blocked, regardless of their score.

A visitor with no team decision simply follows their trust band.

What's inside

Overview

Key numbers at a glance — trusted, flagged and blocked counts, trust distribution, top risk signals, and recently flagged visitors.

Blocked

Visitors blocked by Security — review and Allow or Clear them in one place.

Visitors

Every visitor with their trust score, trust band, and risk signals. Search, filter (including a low-trust filter), and open a full security profile.

Policy

Choose a protection level, move the low-trust and block lines, and turn individual signals on or off.

How it works

Scoring runs automatically in the background — no extra code or SDK changes are needed:

  1. The Yaplet widget collects the events it already gathers (page views, sessions, identity).
  2. Each visitor is evaluated against the built-in signals.
  3. Triggered signals raise or lower the visitor's trust score.
  4. If the score drops into the low-trust zone, the visitor is flagged as low trust (awareness only — no action required).
  5. If it drops below the block line, the visitor is automatically blocked — the chat widget locks in their browser straight away.
A blocked visitor stays blocked until either their score climbs back above the block line (the automatic block lifts and they return to the low-trust zone) or your team clears the status. Manual bans and automatic blocks are tracked separately, so one can't accidentally undo the other.