Security & Data Safety
We built GBI to be trusted with the most sensitive part of your business — your customers. Here is exactly how we protect your data, who handles it, and what we will never do with it.
Last updated: June 2026 · Questions? hello@goldenbeaconintelligence.com
Our Commitment
Your clients trust you. We take that seriously.
GBI processes real conversations between your business and your customers. That data belongs to you — not to us, not to our partners, not to anyone else.
We are a small, independent company based in Fort Worth, Texas. We do not have VC pressure to monetize your data. Our only revenue is your subscription. That alignment matters.
GBI does not yet hold its own SOC 2 certification. We are honest about that. What we do have is a platform built entirely on infrastructure that does hold SOC 2 Type II certifications — and a commitment to complete our own audit as we scale. Every layer of our stack has been independently audited.
Infrastructure
Built on a fully certified stack
Every vendor that touches your data has completed an independent SOC 2 Type II audit — the highest standard for SaaS security. We didn't build on cheap infrastructure to save money.
Vercel
SOC 2 Type IIApplication hosting & delivery
Our application is hosted and served entirely on Vercel's global edge network. Vercel holds a SOC 2 Type II report, audited annually.
Supabase
SOC 2 Type IIDatabase & file storage
All business data — customers, calls, conversations, leads — is stored in Supabase (Postgres on AWS). Encrypted at rest using AES-256.
Clerk
SOC 2 Type IIAuthentication & identity
All sign-in, session management, and password handling is done by Clerk. We never store passwords. Supports multi-factor authentication.
Voice & SMS Infrastructure
SOC 2 Type IIPhone calls & text messages
All phone calls and text messages are handled by a leading enterprise telecom infrastructure provider used by the world's largest companies. Calls and SMS are encrypted in transit and handled under strict data retention policies.
Anthropic
SOC 2 Type IIAI language model
The AI that powers GBI's chat, voice scripts, and automations runs on Anthropic's Claude models. Anthropic does not use your data to train future models.
Encryption
In transit — TLS 1.3
All data moving between your browser, our servers, and our vendors is encrypted using TLS 1.3. This is enforced by Vercel at the edge.
At rest — AES-256
All data stored in Supabase is encrypted at rest using AES-256, the same standard used by banks and federal agencies.
Passwords — never stored by us
Clerk handles all authentication. We never see, receive, or store your password in any form.
Access & isolation
Hard tenant isolation
Every database query is scoped to your business ID at the code level. It is technically impossible for one client's data to appear in another client's account.
Role-based access
You control who on your team can access your account. Roles include Owner, Manager, and Staff — each with defined permissions.
Multi-factor authentication
Supported for all accounts via Clerk. We strongly recommend enabling MFA, especially for owner-level access.
What we will never do
Clear commitments, not marketing. These are hard rules in how we operate — not buried in a terms of service.
We do not sell your data to anyone, ever — not advertisers, not data brokers, not partners.
We do not store passwords. Authentication is handled entirely by Clerk using industry-standard hashing.
We do not use your customer conversations or business data to train AI models.
We do not share your leads, call recordings, or customer information with other GBI clients.
We do not store payment card information. All billing is handled by Stripe, which is PCI DSS Level 1 certified.
We do not retain your data after account deletion beyond what is legally required.
Transparency
What data we collect and why
We only collect what is necessary to run your AI platform. Here is a plain-English breakdown.
Business profile
Name, industry, website, phone number — used to configure your AI.
Customer contacts
Names and phone numbers of people who contact your business through GBI.
Call recordings & transcripts
Voice calls handled by your AI — stored so you can review them in your dashboard.
Chat conversations
Messages between your AI chatbot and website visitors.
SMS threads
Two-way text conversations initiated through missed-call text-back.
Usage data
Which features you use, error logs, performance metrics — used to improve the platform.
Your Rights
You own your data
GBI is a tool that processes data on your behalf. That data belongs to you and your customers, not to us.
Data export
You can export all your leads, call logs, customer records, and conversation history from your dashboard at any time.
Account deletion
When you close your account, we delete your data from our systems within 30 days, except where we are legally required to retain records.
Customer data requests
If one of your customers asks what data you hold on them, you can pull and delete their record from the Customers section of your dashboard.
Corrections
You can update or correct any data stored in GBI at any time — business profile, customer records, AI knowledge — all editable.
Our own SOC 2 audit — in progress
GBI does not yet hold its own SOC 2 certification. We are honest about that. Every vendor in our stack does — but a SOC 2 report for GBI as a company requires a formal audit by a licensed CPA firm, and we are working toward that.
In the meantime, our entire platform is built on SOC 2 Type II-certified infrastructure, and our internal controls — data isolation, encryption, access management, and logging — meet the standards the audit would require.
If your organization has a specific security questionnaire or requires a vendor security review, reach out directly and we will walk through our controls with you.
Security questions?
If you have a security concern, need to complete a vendor questionnaire, or want to report a potential vulnerability — reach out directly. You will get a response from a real person, not a support bot.
hello@goldenbeaconintelligence.comTo report a security vulnerability responsibly, please email the above address with “Security Report” in the subject line.