For security reviewers + enterprise prospects + investors

Where the data lives. Who can see it. How to delete it.

The questions an enterprise security review will ask, answered in plain English. We tell you the truth, including the parts where we're not where we want to be yet (SOC 2, data residency in the EU). If you need formal compliance attestations to deploy, this page also tells you when we'll have them.

"Your data. Your tenant. Nobody else's brain." — Orbit

Orbit, confident thumbs-up — your data, your tenant, nobody else's
In this document
  1. Where customer data lives
  2. Encryption — at rest + in transit
  3. Who can read it
  4. Data residency
  5. Deletion + retention SLAs
  6. Subprocessors / vendor list
  7. Compliance status
  8. Incident response
  9. What we won't lie about

Where customer data lives.

Orbit isn't a single application. It's a stack of clearly-separated stores, each with one job. This is the actual map — same data shape every BizBot vertical uses.

DataWhere it livesWhy
Customer profiles
(name, email, phone, history)
Supabase Postgres (US-East). Project: orbit-brain.Source of truth for shared memory. Service-role-only access.
Orbit events log
(every action the brain emits)
Supabase Postgres (US-East). Table: orbit_events.Append-only audit trail. Drives the orchestrator + the public sanitized feed.
Call recordings + transcriptsRetell AI (US data center). Linked by CallSid only — we never copy the audio.Retell handles the realtime AI voice stack. We pull transcripts via API on-demand.
SMS message bodiesTwilio (US). 30-day retention by default.Twilio is the carrier. Our DB stores the SMS metadata + a 60-char preview, not full bodies.
Payment + billingStripe (US, SOC 2 Type II).Card data never touches our servers. We store Stripe customer/subscription IDs only.
Email marketing + transactionalBrevo (EU). Lists by vertical.Brevo is GDPR-aligned by default; lists segmented per vertical.
Vertical app data
(jobs, listings, programs, etc.)
Vertical-specific Postgres tables in the same Supabase project, JSONB-extended per vertical.Vertical detail lives next to identity, not in a separate CRM.
Static site + edge cacheVercel (global edge network).HTML, CSS, JS, images. No PII in static assets.

Encryption — at rest + in transit.

Who can read it.

Data residency.

Today: US (primary). Supabase Postgres is hosted in us-east-1. Vercel edge serves globally but origin functions run in iad1 (US East). Retell, Twilio, Stripe all US-domiciled.

Email is the exception: Brevo is EU-hosted (France). EU customers' marketing email content stays in the EU. Customer records in the brain are still US-resident.

EU data residency: Not available today. We don't operate an EU Supabase replica. If you have a hard requirement to keep all customer data in the EU, we are not the right vendor today. We track this against our enterprise pipeline; it's the most-asked-for capability we don't have yet. Currently estimated 2026-Q4 if commercial demand justifies the operational complexity.

Deletion + retention SLAs.

TypeRetentionDeletion SLA
Customer requests their data deleted30 days end-to-end (Postgres + Brevo + Retell + downstream archives).
BizBot tenant cancels their subscription90-day soft retention (in case of resub)Day 91: hard delete from Postgres. Stripe data follows Stripe's own retention.
Call recordings (Retell)Default 30 days.Auto-purged by Retell.
SMS message bodies (Twilio)Default 30 days.Auto-purged by Twilio.
Orbit events logIndefinite (audit trail). Customer-specific events redacted on customer-deletion request.Customer-deletion request: 30 days to redact all customer_phone_hash + payload.customer.* fields for that customer.
Backups30-day rolling.Backups age out of the window naturally; we don't run separate backup-deletion jobs for customer requests.

Email hello@bizbottech.com with subject "Data deletion request" + the customer email or phone. We confirm receipt within 1 business day and complete within 30 calendar days, sending you a written confirmation when done.

Subprocessors (vendor list).

VendorPurposeCompliance
Anthropic (Claude)LLM for orchestrator + module-specific generationSOC 2 Type II, GDPR
SupabasePostgres database + authSOC 2 Type II, GDPR (DPA available)
VercelStatic hosting + serverless functionsSOC 2 Type II, GDPR
Retell AIRealtime voice agent stackSOC 2 Type II in progress (vendor-confirmed)
TwilioSMS + voice carrierSOC 2 Type II, HIPAA-eligible
StripeBilling + subscription + paymentSOC 1, SOC 2, PCI DSS L1
BrevoEmail (transactional + marketing)GDPR-native (EU-domiciled)
CloudflareDNS + DDoSSOC 2 Type II

We notify customers 30 days in advance of any new subprocessor. Subscribe to hello@bizbottech.com to get the notice list.

Compliance status.

Incident response.

What we won't lie about.

Honest claims, including the inconvenient ones.

BizBot is currently a one-person company (Steve Stott, founder + sole engineer). That means: response times can be excellent because you talk directly to the person who built it; and it also means we don't have a 24/7 SOC, we don't have a dedicated security team, and a Type II SOC 2 is genuinely 12+ months away.

We tell prospects this on the first call. We tell investors this in the deck. If you need enterprise-grade security tooling today and can't deploy without it, we're not your vendor — and we're not going to manufacture a story that says otherwise.

The flip side: the architecture is straightforward, the data flow is documented above, the stores are well-known SOC-2-attested vendors (Supabase, Vercel, Stripe, Twilio, Anthropic, Cloudflare). Most of the controls a Type II audit would check are inherited from those vendors. The work between here and Type I is mostly paperwork — and that's what we're doing right now.

Have specific questions?

Email Steve directly.

For DPAs, security questionnaires, BAA requests, or anything compliance-related: hello@bizbottech.com. The founder reads every one and replies within one business day.