Security architecture
Your data is isolated, encrypted, and governed.
SalesLobe processes sensitive sales conversations. We take that seriously. This page describes exactly how your data is protected: no compliance badges we haven't earned, no vague promises.
Six pillars
Security by architecture, not by promise
These are not aspirational goals. They are how SalesLobe works today, enforced at the infrastructure level.
Row-level security
Every workspace is isolated at the database level using Supabase RLS policies. Queries are scoped to the authenticated user's workspace, cross-tenant access is blocked at the database layer.
Encryption everywhere
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 via Supabase. API keys and credentials are never stored in plaintext.
Client data isolation
Agency workspaces and their clients are strictly isolated. A client's reply content, tone guides, and campaign data cannot be accessed by another client, even within the same agency account.
Bring Your Own Key
Pro and Agency plans let you provide your own Anthropic API key. Your key is encrypted at rest and used exclusively for your workspace's AI processing. Full control over your AI pipeline.
EU data residency
Your workspace data is hosted in the EU: AWS eu-north-1 (Stockholm) via Supabase. Supabase maintains SOC 2 Type II compliance for the infrastructure your data lives on.
AI processing without training
Anthropic never trains on your data. Reply content is processed via the API under Anthropic's limited retention policy. Zero-data-retention is available via BYOK with your own Anthropic agreement. Reply data retention is configurable per organization with rolling auto-deletion.
Data flow
What happens to a reply
From the moment a reply enters SalesLobe to the moment it's stored, every step is isolated and encrypted.
Reply arrives
A reply arrives via the Smartlead API (campaign replies) or the BCC feedback loop (managed inboxes). The raw reply enters your isolated workspace.
Classified & isolated
Corty classifies the reply (HOT / WARM / COLD) within your workspace's RLS boundary. No data crosses tenant boundaries.
AI drafts a response
Reply content is sent to Anthropic Claude for drafting. Anthropic does not train on your data; retention follows Anthropic's API policy (or your own agreement under BYOK).
Encrypted at rest
The draft, classification, and all metadata are stored encrypted (AES-256) in your workspace's isolated Supabase partition.
Data residency
Where your data lives
Infrastructure
Built on trusted platforms
We don't run our own data centers. We build on platforms that have earned their compliance certifications so we can focus on application-level security.
Supabase and Vercel certifications are maintained by those platforms independently. SalesLobe's security benefits from their certified infrastructure.
Subprocessors
Who touches your data
| Subprocessor | Purpose | Data touched | Region |
|---|---|---|---|
| Supabase | Database, auth & compute (Edge Functions) | All workspace data | EU (Stockholm) |
| Anthropic | AI classification & drafting | Reply content | US |
| Vercel | Marketing site & contact form hosting | Contact form submissions | US |
| AhaSend | BCC email routing | Email content in transit | EU |
| Make.com | Gmail/Outlook workflow routing | Email content in transit | Global infrastructure |
| Stripe | Billing | Payment data, no email content | US / EU |
Data Processing Agreement (DPA) available on request, GDPR Art. 28. Subprocessor list updated as our stack changes.
On compliance certifications
We do not currently hold SOC 2, ISO 27001, or HIPAA certifications. We are actively building toward SOC 2 Type II. We will not display compliance badges until we hold the actual certifications: that's a deliberate choice, not an oversight.
If your organization requires specific compliance documentation, we're happy to discuss your requirements. Contact sales@saleslobe.com
Bring Your Own LLM
Coming soonChoose your own LLM provider. Run Corty on the model that fits your compliance, data sovereignty, or performance requirements. Full control over where your data is processed.
Data sovereignty matters. Mistral runs entirely within the EU, ideal for European compliance requirements.
Responsible disclosure
Found a security vulnerability? We take every report seriously.
Your data, your control
Every feature in SalesLobe is designed so you stay in control of your data.
Questions about security?
We're happy to walk through our architecture in detail. No sales pitch required.