Trust Center

Security and privacy, published honestly.

We won't tell you we have certifications we don't have. This page lists every control we run today, what we're actively building, and what's on the roadmap — so your security team can review reality, not marketing.

Submit a privacy requestContact security
Active
= operating in production·
In progress
= work underway·
Roadmap
= committed, not started

Our principles

We design against the SOC 2 Trust Services Criteria.

Even before our SOC 2 Type II report is issued, we build to the five criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy — because they're the right framework for handling customer conversations through AI.

Security

Defense-in-depth across encryption, RLS, audit logging, and edge function authorization.

Availability

Managed cloud providers with redundancy, daily backups, and provider-published SLAs.

Processing Integrity

Workflows execute completely and accurately; privileged actions are auditable.

Confidentiality

Encrypted credentials, tenant isolation, least-privilege defaults.

Privacy

DSR portal, sub-processor transparency, granular cookie consent.

Data minimization

We collect what we need to operate; you can delete your data on request.

Controls

Every control, with its real status.

No claim without evidence. Where a control isn't operating yet, we say so.

Encryption

  • TLS 1.2+ for all data in transit (provider-enforced)
    Active
  • AES-256 encryption at rest for databases, backups, and object storage
    Active
  • AES-256-GCM (Web Crypto) for OAuth tokens and integration secrets
    Active
  • Customer-managed encryption keys (BYOK)
    Roadmap

Access control

  • Row Level Security (RLS) on 100% of application tables
    Active
  • Role-based access control with security-definer policy functions
    Active
  • Strict tenant isolation enforced at the database layer
    Active
  • Leaked-password check (HIBP) at signup and reset
    Active
  • Optional multi-factor authentication for end users
    In progress
  • SSO (SAML/OIDC) for Scale customers
    In progress

Infrastructure

  • Hosted on SOC 2 audited cloud providers (Supabase / AWS / Vercel)
    Active
  • Logical isolation per tenant; no shared application state
    Active
  • Automated daily encrypted backups (provider-managed)
    Active
  • Infrastructure deployed via reviewed pull requests
    Active
  • Point-in-time recovery (PITR)
    In progress

Network & application

  • Strict Content Security Policy and CORS allowlists
    Active
  • HTML sanitization (DOMPurify) on user-rendered content
    Active
  • HMAC-verified webhooks for telephony and integrations
    Active
  • Edge CDN with provider DDoS protection (Vercel)
    Active
  • Dependency vulnerability scanning on every commit
    Active
  • Annual third-party penetration test
    Roadmap

Logging & monitoring

  • Append-only audit log for privileged actions
    Active
  • Automatic audit trail for feature-flag and admin changes
    Active
  • Centralized edge-function and database logs
    Active
  • Audit coverage of all sensitive flows (exports, role changes, OAuth)
    In progress
  • Real-time anomaly detection and on-call paging
    Roadmap

Vulnerability & incident response

  • Coordinated disclosure at security@digitalbar.ai (security.txt published)
    Active
  • 72-hour customer-notification commitment for confirmed data incidents
    Active
  • Public incident response policy
    Active
  • Documented severity ladder + on-call runbook
    In progress
  • Annual tabletop exercises
    Roadmap

Compliance posture

Where we stand on each framework.

Need our SOC 2 Type I letter, DPA, or pen test attestation? Email security@digitalbar.ai.

SOC 2 Type II

In progress

Type II audit engaged; report targeted within 12 months. Type I controls operating today.

GDPR

Active

DPA available on request. EU SCCs used for transfers. DSR intake live.

CCPA / CPRA

Active

California consumer rights honored via /privacy-requests.

TCPA

In progress

Consent capture + DNC enforcement shipping; required for outbound calling.

CAN-SPAM

Active

Unsubscribe + sender identification enforced on all outreach.

PCI DSS

Active

SAQ-A — payments processed entirely by Stripe (Level 1 PSP).

HIPAA

Roadmap

Not currently a Business Associate. Targeted for Scale-tier healthcare customers.

ISO 27001

Roadmap

Evaluated for late 2026.

Subprocessors

Every vendor that may touch your data.

We publish the full list, including purpose and data region. You can subscribe to changes.

View full registry
Supabase
Database, auth, edge functions
AWS
Underlying cloud infrastructure
Vercel
Frontend hosting and CDN
Stripe
Payment processing
Resend
Transactional email
Relay / VAPI / Retell
Voice and telephony
Google / OpenAI / Anthropic
LLM inference (zero-retention)

More for your security team

Data Processing Addendum

GDPR Art. 28 DPA template + EU SCCs.

Subprocessor registry

Vendors, purpose, region, status.

Security policy

How to report a vulnerability; security.txt.

Incident response

Severity ladder + customer-notification commitment.

Cookie policy

What we set and how to change preferences.

Privacy request portal

Submit access, deletion, portability requests.