Security architecture

Your data is isolated, encrypted, and governed.

SalesLobe processes sensitive sales conversations. We take that seriously. This page describes exactly how your data is protected: no compliance badges we haven't earned, no vague promises.

In transitTLS 1.3 encryption
At restAES-256 encryption
Data boundaryPostgres RLS
AI data useNo model training

Six pillars

Security by architecture, not by promise

These are not aspirational goals. They are how SalesLobe works today, enforced at the infrastructure level.

01

Row-level security

Every workspace is isolated at the database level using Supabase RLS policies. Queries are scoped to the authenticated user's workspace, cross-tenant access is blocked at the database layer.

Supabase RLS · Postgres policies
02

Encryption everywhere

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 via Supabase. API keys and credentials are never stored in plaintext.

TLS 1.3 · AES-256 at rest
03

Client data isolation

Agency workspaces and their clients are strictly isolated. A client's reply content, tone guides, and campaign data cannot be accessed by another client, even within the same agency account.

Multi-tenant isolation · RLS enforced
04

Bring Your Own Key

Pro and Agency plans let you provide your own Anthropic API key. Your key is encrypted at rest and used exclusively for your workspace's AI processing. Full control over your AI pipeline.

BYOK · Pro & Agency plans
05

EU data residency

Your workspace data is hosted in the EU: AWS eu-north-1 (Stockholm) via Supabase. Supabase maintains SOC 2 Type II compliance for the infrastructure your data lives on.

AWS eu-north-1 (Stockholm) · SOC 2 Type II infra
06

AI processing without training

Anthropic never trains on your data. Reply content is processed via the API under Anthropic's limited retention policy. Zero-data-retention is available via BYOK with your own Anthropic agreement. Reply data retention is configurable per organization with rolling auto-deletion.

Anthropic API · No training on data

Data flow

What happens to a reply

From the moment a reply enters SalesLobe to the moment it's stored, every step is isolated and encrypted.

corty · data pipeline
Reply arrives
Classified & isolated
AI drafts a response
Encrypted at rest
01

Reply arrives

A reply arrives via the Smartlead API (campaign replies) or the BCC feedback loop (managed inboxes). The raw reply enters your isolated workspace.

02

Classified & isolated

Corty classifies the reply (HOT / WARM / COLD) within your workspace's RLS boundary. No data crosses tenant boundaries.

03

AI drafts a response

Reply content is sent to Anthropic Claude for drafting. Anthropic does not train on your data; retention follows Anthropic's API policy (or your own agreement under BYOK).

04

Encrypted at rest

The draft, classification, and all metadata are stored encrypted (AES-256) in your workspace's isolated Supabase partition.

Data residency

Where your data lives

Data at rest
EU, AWS eu-north-1 (Stockholm), via Supabase
AI processing
Anthropic API (US), no training, limited retention
EU-only AI processing
Mistral: coming soon

Infrastructure

Built on trusted platforms

We don't run our own data centers. We build on platforms that have earned their compliance certifications so we can focus on application-level security.

Supabase
Database, auth & compute
SOC 2 Type II
Vercel
Marketing site hosting
SOC 2 Type II
Anthropic
AI processing
No training on data

Supabase and Vercel certifications are maintained by those platforms independently. SalesLobe's security benefits from their certified infrastructure.

Subprocessors

Who touches your data

Subprocessor Purpose Data touched Region
Supabase Database, auth & compute (Edge Functions) All workspace data EU (Stockholm)
Anthropic AI classification & drafting Reply content US
Vercel Marketing site & contact form hosting Contact form submissions US
AhaSend BCC email routing Email content in transit EU
Make.com Gmail/Outlook workflow routing Email content in transit Global infrastructure
Stripe Billing Payment data, no email content US / EU

Data Processing Agreement (DPA) available on request, GDPR Art. 28. Subprocessor list updated as our stack changes.

On compliance certifications

We do not currently hold SOC 2, ISO 27001, or HIPAA certifications. We are actively building toward SOC 2 Type II. We will not display compliance badges until we hold the actual certifications: that's a deliberate choice, not an oversight.

Infrastructure partners are SOC 2 Type II certified
Row-level security enforced at database level
AES-256 encryption at rest, TLS 1.3 in transit
AI processing without training on your data

If your organization requires specific compliance documentation, we're happy to discuss your requirements. Contact sales@saleslobe.com

Bring Your Own LLM

Coming soon

Choose your own LLM provider. Run Corty on the model that fits your compliance, data sovereignty, or performance requirements. Full control over where your data is processed.

Anthropic Current
Claude Haiku Fallback
Mistral EU

Data sovereignty matters. Mistral runs entirely within the EU, ideal for European compliance requirements.

Responsible disclosure

Found a security vulnerability? We take every report seriously.

Acknowledged within 24 hours
Critical issues triaged and prioritized immediately
Report a vulnerability

Your data, your control

Every feature in SalesLobe is designed so you stay in control of your data.

BYOK: use your own Anthropic key
Your data never trains shared models, all learning stays inside your workspace
EU data residency: Stockholm (AWS eu-north-1)

Questions about security?

We're happy to walk through our architecture in detail. No sales pitch required.