How we earn
your trust.
We believe trust is built through transparency, not marketing. Here is exactly how we handle your data, protect your systems, and structure our engagements.
How We Handle Your Data
Sub-Processors
These are the third-party services that process data as part of our work. We only share what is necessary for the specific function.
| Service | Purpose | Location |
|---|---|---|
| Anthropic (Claude) | AI model for Automation Blueprint generation and agent intelligence | US |
| Supabase | Database and authentication (PostgreSQL) | US (us-east-1) |
| Resend | Transactional email delivery | US |
| Vercel | Website hosting and edge functions | US (global CDN) |
Encryption
TLS 1.2+ in transit for all connections. AES-256 at rest via Supabase managed encryption. No data stored in plaintext.
Data Residency
All primary data is stored in the United States (AWS us-east-1 via Supabase). Vercel serves static assets globally via CDN.
Automation Blueprint Data
When you submit an Automation Blueprint, here is exactly what happens:
Your challenge description and email are sent to our API (Vercel, US).
The description is sent to Anthropic Claude to generate your Automation Blueprint analysis. Anthropic does not train on API inputs.
The Automation Blueprint result, your email, and a hashed version of your IP (not the raw IP) are stored in Supabase.
Your Automation Blueprint is delivered via email (Resend) and available at a unique URL.
Automation Blueprint data is retained for 90 days, then deleted.
We do not sell your data. We do not use your Automation Blueprint content to train models. If you opt into marketing emails, you can unsubscribe at any time.
Security Practices
Security-First Architecture
Our Technical Lead, Carlos Jorge, brings certifications in mobile pentesting (CMPen), CyberOps (Cisco), and network security (CCNA), along with experience building cybersecurity training platforms and zero-knowledge encryption systems. Security is not a checkbox for us; it is embedded in how we architect every system.
Code Review
All code undergoes multi-agent security review before deployment. We use automated static analysis alongside human review.
Environment Management
Secrets and credentials are stored in environment variables, never in code. Production keys are rotated regularly.
Rate Limiting
All public API endpoints are rate-limited by IP and email to prevent abuse. Limits are enforced at the application level.
Privacy by Design
IP addresses are hashed before storage (no raw IPs). Marketing consent is explicitly opt-in. Analytics respect cookie consent.
What We Offer
NDA Before Discovery
We sign a mutual NDA before any engagement begins. Your business context stays confidential.
IP Assignment on Completion
All custom code and systems we build are assigned to you upon project completion. You own what we build.
Statement of Work
Every project starts with a defined SOW covering scope, deliverables, timeline, and investment. No scope creep without written agreement.
Milestone-Based Billing
Payment is tied to progress: a portion at discovery, a portion at build, a portion at deployment. Retainers are billed monthly.
What We Don't Have Yet (Honestly)
We are a 6-person agency founded in 2024. We believe in being upfront about where we are.
We do not yet have SOC 2 certification.
We do not yet have ISO 27001 certification.
We have not yet completed a formal third-party penetration test.
We do not yet have client testimonials or case studies from external engagements (our shipped products are internal builds).
If your procurement process requires any of these, we may not be the right fit today. We are building toward them as we grow. We would rather be honest than overpromise.
Questions about security or data handling?
We are happy to discuss specifics for your situation.
Book a Conversation