MFA required for all production access (engineering + support)
Quarterly access review, automated revocation on offboard
Annual penetration test by independent firm; results shared with customers under NDA
Access + audit logs
Every mutation in the platform writes an audit row with actor, IP, action, before-state, and after-state. Default retention: 7 years. Customers can read their own audit trail at any time; cross-tenant audit is isolated by RLS.
Audit log retention
7 years (SOX-aligned)
Session timeout
30 days idle / 24 hr active
API key rotation
90 days recommended, alerts at 60d
Failed-login lockout
5 attempts → 15 min cooldown
Production access
Audit-logged break-glass; <30 min/quarter avg
Customer impersonation
Per-session, audited, customer-notified
Privacy + data subject rights
GDPR / CCPA response SLA
30 days · usually <72 hr
Data residency (EU)
eu-central-1 (Frankfurt)
Data residency (US)
us-east-1 (Virginia)
Right-to-deletion
Self-serve via Settings → Profile
Right-to-export
JSON + CSV download, full history
Default cookies
Strictly necessary only; analytics opt-in
Sub-processors
We notify customers by email at least 30 days before any new sub-processor is added. Customers may object on reasonable grounds; if we can't accommodate, customer may terminate without penalty.
AWS
Object storage + compute
eu-central-1, us-east-1
Hetzner
Database + app hosting
DE / FI
Stripe
Payments
US / IE
Twilio
Telephony + SMS
US / IE
Vapi
Voice AI orchestration
US
Anthropic
Concierge LLM
US
Resend
Transactional email
US / IE
Sentry
Error monitoring (no PII)
US / DE
Cloudflare
CDN + WAF
Global
Certifications + audits
SOC 2 Type II
In audit · evidence collection complete · letter expected Q3 2026
ISO 27001
Planned 2027 · gap analysis complete
PCI DSS
Not in scope — never touches card data (Stripe Elements only)
HIPAA
Not in scope — no protected health information processed
GDPR
Compliant. DPA available, EU SCCs in place.
CCPA / CPRA
Compliant. Consumer rights portal in app.
Vulnerability disclosure
We respond to all credible reports within 1 business day. Critical vulnerabilities (RCE, auth bypass, full data exfil): 4 hours. We don't pursue legal action against good-faith researchers operating within scope.