Data & Security

1. Our Commitment

You're trusting us with your customer data, CRM credentials, and business systems. We take that seriously. This page explains our technical security measures, data handling practices, and uptime commitments.

2. Infrastructure & Uptime

We maintain 99.9% uptime for production automation workflows:

• Hosting: SOC 2 compliant cloud infrastructure with automated failover
• Monitoring: 24/7 automated alerts for workflow failures, API errors, and system issues
• Backups: Daily encrypted backups with point-in-time recovery
• Maintenance: Scheduled updates communicated 48 hours in advance (typically off-peak hours)
• n8n Workflows: Self-hosted on secure infrastructure—your workflow logic and data never leave our control

Uptime excludes third-party service outages (CRMs, email providers, Calendly) beyond our control.

3. Data Encryption

All data is encrypted at rest and in transit:

• In Transit: TLS 1.3+ for all connections (website, APIs, integrations)
• At Rest: AES-256 encryption for databases, file storage, and backups
• Credentials: API keys and OAuth tokens encrypted separately with rotating encryption keys

4. Access Control

Strict controls limit who can access your data:

• Team Access: Only authorized engineers working on your account (minimum 2-person review for sensitive operations)
• Authentication: Multi-factor authentication (MFA) required for all team members
• Audit Logs: All data access logged with timestamps and user IDs
• Offboarding: Immediate credential revocation when team members leave

5. Data Handling Practices

We treat your data as confidential by default:

• Minimal Collection: We only store data needed to run your workflows (lead info, CRM records, automation logs)
• No Sharing: Your data is never shared with third parties except as required to deliver services (e.g., sending emails via your SMTP provider)
• Separation: Each client's data isolated in separate databases and workflow environments
• Retention: Client data deleted within 90 days of service termination (unless you request export or laws require retention)

6. GDPR & Privacy Compliance

We comply with global privacy regulations:

• GDPR (EU): Lawful basis for processing, data minimization, right to erasure, data portability
• CCPA (California): Right to know, delete, and opt out of data sales (we never sell data)
• Australia Privacy Act: Australian Privacy Principles (APPs) compliance for AU clients
• NZ Privacy Act: Information Privacy Principles (IPPs) compliance for NZ clients

See our Privacy Policy for details on data subject rights.

7. Third-Party Services

We use vetted providers for specific functions:

• Calendly: Scheduling consultations (data stored per Calendly's privacy policy)
• n8n: Self-hosted workflow engine—data stays under our direct control, not shared with n8n.io
• Cloud Hosting: SOC 2 certified providers with encryption and compliance certifications
• Email/SMS Gateways: Only client-authorized providers (your existing vendors)

All third parties sign Data Processing Agreements (DPAs) with equivalent security standards.

8. Security Incident Response

If a breach occurs, we act fast:

• Notification: Affected clients notified within 72 hours (GDPR requirement)
• Containment: Immediate isolation of compromised systems
• Investigation: Root cause analysis and remediation plan
• Disclosure: Transparent communication about what happened, what data was affected, and steps taken

9. Development Security

Our code and deployment practices:

• Code reviews required before production deployment
• Automated security scanning for vulnerabilities
• Separate staging and production environments
• No hardcoded credentials (secrets managed via encrypted vaults)
• Regular dependency updates to patch known vulnerabilities

10. Certifications & Audits

While we're not yet SOC 2 certified as a company, our infrastructure providers are. We're working toward formal certification as we scale. In the meantime, we follow SOC 2 controls internally and can provide security questionnaires upon request.