Where the data lives. Who can see it. How to delete it.
The questions an enterprise security review will ask, answered in plain English. We tell you the truth, including the parts where we're not where we want to be yet (SOC 2, data residency in the EU). If you need formal compliance attestations to deploy, this page also tells you when we'll have them.
"Your data. Your tenant. Nobody else's brain." — Orbit
Where customer data lives.
Orbit isn't a single application. It's a stack of clearly-separated stores, each with one job. This is the actual map — same data shape every BizBot vertical uses.
| Data | Where it lives | Why |
|---|---|---|
| Customer profiles (name, email, phone, history) | Supabase Postgres (US-East). Project: orbit-brain. | Source of truth for shared memory. Service-role-only access. |
| Orbit events log (every action the brain emits) | Supabase Postgres (US-East). Table: orbit_events. | Append-only audit trail. Drives the orchestrator + the public sanitized feed. |
| Call recordings + transcripts | Retell AI (US data center). Linked by CallSid only — we never copy the audio. | Retell handles the realtime AI voice stack. We pull transcripts via API on-demand. |
| SMS message bodies | Twilio (US). 30-day retention by default. | Twilio is the carrier. Our DB stores the SMS metadata + a 60-char preview, not full bodies. |
| Payment + billing | Stripe (US, SOC 2 Type II). | Card data never touches our servers. We store Stripe customer/subscription IDs only. |
| Email marketing + transactional | Brevo (EU). Lists by vertical. | Brevo is GDPR-aligned by default; lists segmented per vertical. |
| Vertical app data (jobs, listings, programs, etc.) | Vertical-specific Postgres tables in the same Supabase project, JSONB-extended per vertical. | Vertical detail lives next to identity, not in a separate CRM. |
| Static site + edge cache | Vercel (global edge network). | HTML, CSS, JS, images. No PII in static assets. |
Encryption — at rest + in transit.
- In transit: All traffic over HTTPS / TLS 1.3 enforced.
Strict-Transport-Security: max-age=31536000; includeSubDomainsin the response headers (verifiable in DevTools on any BizBot page). - At rest (Postgres): AES-256 disk-level encryption via Supabase / underlying AWS RDS. Backups encrypted with separate keys.
- At rest (object storage): Vercel CDN + Retell recording storage both use AES-256.
- API tokens: Stored in Vercel environment variables, never in source code. Token rotation is on a quarterly cadence with break-glass rotation when a developer leaves.
- What we don't claim: Customer-managed keys (KMS). We don't expose customer-specific encryption keys today. If your security review requires CMK, that's a roadmap conversation.
Who can read it.
- The customer's own dashboard: sees their own customer record only. Enforced by JWT subject claim + row-level filtering on every read query.
- The orchestrator (Claude Haiku): sees the event payload + the customer profile for that one customer. Cross-customer reads aren't part of any prompt path.
- Steve Stott (founder): sees everything via service-role access. Logged in audit-logger.
- Ops contractors: none with database access today. When that changes, scoped read-only roles + audit logging required before access is granted.
- The public: sees the sanitized brain feed (documented here) and the Scout aggregate stats. Nothing else is reachable without auth.
Data residency.
Today: US (primary). Supabase Postgres is hosted in us-east-1. Vercel edge serves globally but origin functions run in iad1 (US East). Retell, Twilio, Stripe all US-domiciled.
Email is the exception: Brevo is EU-hosted (France). EU customers' marketing email content stays in the EU. Customer records in the brain are still US-resident.
EU data residency: Not available today. We don't operate an EU Supabase replica. If you have a hard requirement to keep all customer data in the EU, we are not the right vendor today. We track this against our enterprise pipeline; it's the most-asked-for capability we don't have yet. Currently estimated 2026-Q4 if commercial demand justifies the operational complexity.
Deletion + retention SLAs.
| Type | Retention | Deletion SLA |
|---|---|---|
| Customer requests their data deleted | — | 30 days end-to-end (Postgres + Brevo + Retell + downstream archives). |
| BizBot tenant cancels their subscription | 90-day soft retention (in case of resub) | Day 91: hard delete from Postgres. Stripe data follows Stripe's own retention. |
| Call recordings (Retell) | Default 30 days. | Auto-purged by Retell. |
| SMS message bodies (Twilio) | Default 30 days. | Auto-purged by Twilio. |
| Orbit events log | Indefinite (audit trail). Customer-specific events redacted on customer-deletion request. | Customer-deletion request: 30 days to redact all customer_phone_hash + payload.customer.* fields for that customer. |
| Backups | 30-day rolling. | Backups age out of the window naturally; we don't run separate backup-deletion jobs for customer requests. |
Email hello@bizbottech.com with subject "Data deletion request" + the customer email or phone. We confirm receipt within 1 business day and complete within 30 calendar days, sending you a written confirmation when done.
Subprocessors (vendor list).
| Vendor | Purpose | Compliance |
|---|---|---|
| Anthropic (Claude) | LLM for orchestrator + module-specific generation | SOC 2 Type II, GDPR |
| Supabase | Postgres database + auth | SOC 2 Type II, GDPR (DPA available) |
| Vercel | Static hosting + serverless functions | SOC 2 Type II, GDPR |
| Retell AI | Realtime voice agent stack | SOC 2 Type II in progress (vendor-confirmed) |
| Twilio | SMS + voice carrier | SOC 2 Type II, HIPAA-eligible |
| Stripe | Billing + subscription + payment | SOC 1, SOC 2, PCI DSS L1 |
| Brevo | Email (transactional + marketing) | GDPR-native (EU-domiciled) |
| Cloudflare | DNS + DDoS | SOC 2 Type II |
We notify customers 30 days in advance of any new subprocessor. Subscribe to hello@bizbottech.com to get the notice list.
Compliance status.
- Live GDPR alignment. DPA available on request; EU customer email handled by Brevo (EU). Data deletion process documented above.
- Live FTC guardrails on Stars review replies. Hard-coded refusals for incentive-for-review patterns. Documented on the Stars module page.
- In progress SOC 2 Type I. Targeted 2026-Q3. We're using Vanta (or equivalent) for the controls inventory. We don't have a Type I report to share today; if your security review requires one to deploy, we'll either get there before your timeline or we're not the right vendor for you yet.
- In progress HIPAA business associate agreement (BAA) for the BrightChair vertical (dental). Twilio + Anthropic + Supabase all HIPAA-eligible; we need to formalize the BAA chain. Targeted 2026-Q3.
- Not yet SOC 2 Type II. 12 months after Type I. Not on the roadmap until Type I lands.
- Not yet HITRUST / FedRAMP / ISO 27001. Not on the roadmap. If you need these, we're not the right vendor.
Incident response.
- Discovery to internal acknowledgement: < 1 hour, 24/7. Founder gets paged via PagerDuty equivalent (currently SMS + email).
- Customer notification: within 72 hours of confirmed breach affecting customer data, per GDPR standard. Likely much faster in practice (we're a 1-person operation; the founder writes the email himself).
- Postmortem: public-facing incident reports for any breach affecting more than one customer. Linked from the changelog and emailed to affected accounts.
- Bug bounty: not formalized today. If you find something, email
hello@bizbottech.comwith subject "Security report" and we'll respond within 24 hours.
What we won't lie about.
Honest claims, including the inconvenient ones.
BizBot is currently a one-person company (Steve Stott, founder + sole engineer). That means: response times can be excellent because you talk directly to the person who built it; and it also means we don't have a 24/7 SOC, we don't have a dedicated security team, and a Type II SOC 2 is genuinely 12+ months away.
We tell prospects this on the first call. We tell investors this in the deck. If you need enterprise-grade security tooling today and can't deploy without it, we're not your vendor — and we're not going to manufacture a story that says otherwise.
The flip side: the architecture is straightforward, the data flow is documented above, the stores are well-known SOC-2-attested vendors (Supabase, Vercel, Stripe, Twilio, Anthropic, Cloudflare). Most of the controls a Type II audit would check are inherited from those vendors. The work between here and Type I is mostly paperwork — and that's what we're doing right now.
Email Steve directly.
For DPAs, security questionnaires, BAA requests, or anything compliance-related: hello@bizbottech.com. The founder reads every one and replies within one business day.