What we do, and what we deliberately don't.
Plain English. No marketing fluff. Every sub-processor, every cert status, every data flow — public.
No LinkedIn scraping. Ever.
Hard rule. Public sources only — careers pages, funding feeds, press, M&A registries, live site fingerprints, public profiles only with explicit user consent.
● ENFORCEDEncryption everywhere.
TLS 1.3 in transit, AES-256 at rest. Database backups encrypted. Per-workspace data isolation. Secrets in a managed KMS.
● LIVEDaily backups, 30-day retention.
Point-in-time recovery on Postgres. Restore tested monthly. Customer-data export available on request, ≤ 48h.
● LIVESOC 2 Type I (in progress).
External audit scheduled Q3 2026. Type II in 2027. We won't claim certification until we have the report PDF — ask if you need an early copy of the policies.
◑ ROADMAPWhere we stand, today.
Where company-level events go.
Note · we store company-level event data only. We do not store personal data without explicit input from a user.
Every vendor that touches your data.
Updated within 7 days of any change. Subscribe to changes →
| Vendor | Role | Region | Data category | DPA |
|---|---|---|---|---|
| AWS | Hosting (US-East-1, EU-West-1) | US, EU | All workspace data | ● |
| Cloudflare | CDN + WAF | Global | Metadata, no payloads | ● |
| PostgreSQL (RDS) | Event log database | US, EU | Signal events + scores | ● |
| Anthropic | Agent inference (extraction) | US | Public event text | ● |
| Sentry | Error tracking | US | Stack traces, no PII | ● |
| Stripe | Billing | US | Billing only, no events | ● |
| Resend | Transactional email | US | Workspace user emails | ● |
| Evomi / DataImpulse | Proxy mesh (ingest only) | Global | Public web traffic | ● |
Two incidents this year. Both small.
Full uptime + incident dashboard at /status.