Skip to main content
Security & Trust

Security at BizRnR

BizRnR runs the same security posture for the solo HVAC owner on Spark as it does for the call-center-replacement Enterprise customer: row-level isolation, encrypted-at-rest data, scoped vendor access, and a working responsible-disclosure path.

Email security@bizrnr.comRead our terms
Posture

How customer data is protected

Application data lives in a Postgres database where every table that holds tenant data carries a row-level-security policy. The application authenticates as the end user; the only paths that bypass RLS are explicit admin-client calls, and a custom ESLint rule fails CI when an admin-client SELECT lacks a tenant filter.

Data handling

  • In transit: TLS 1.2+ end-to-end, HSTS preload, modern cipher suites only.
  • At rest: Postgres encrypted at the storage layer; bucket-stored assets encrypted at rest.
  • Secrets: managed by Vercel + the platform vault. No secrets in source. Every process.env read trimmed (a custom ESLint rule enforces this).
  • Audit log: tenant-scoped audit events for billing, auth, and admin actions; retained per tenant policy.

Compliance posture

Card data never touches BizRnR systems — Stripe is the PCI scope owner. Voice recordings and transcripts are stored encrypted at rest with tenant-controlled retention windows. SOC 2 Type II is in flight (target completion 2026 H2); the trust report and supporting artifacts ship to enterprise prospects under NDA in the meantime.

Sub-processors

BizRnR uses a small set of vendors to deliver the platform. Every sub-processor below has a current DPA on file, processes only the data its purpose requires, and is reviewed annually. Add or change here and the page updates.

PII + Auth

SupabaseUS (us-east-1)

Primary application database, row-level security, auth tokens, file storage.

DPA

Transactional email delivery (receipts, alerts, onboarding).

DPA

Voice

TwilioUS (default)

Phone number provisioning, inbound call handling, SMS reply window for paid tiers.

DPA

AI voice agent runtime — synthesizes the receptionist voice in real time during calls.

DPA

AI

LLM inference for the autonomous support agent and back-office reasoning. Zero-data-retention configured.

DPA

LLM inference for content generation paths and embedding workloads. Zero-data-retention configured.

DPA

Payment

StripeUS + EU

Subscription billing, payment processing, dispute management. Card numbers never touch our systems (PCI-DSS scope is Stripe-managed).

DPA

Logs

Application error monitoring; PII scrubbed at the SDK boundary.

DPA

Infra

VercelUS (iad1) + edge

Application hosting, serverless functions, edge runtime, deploy logs, image optimization.

DPA
CloudflareGlobal edge

DNS, DDoS protection, edge caching, bot mitigation. No application traffic terminates at Cloudflare beyond TLS.

DPA

Responsible disclosure

Found a vulnerability? Email security@bizrnr.com with reproduction steps. We acknowledge within four business hours, scope the impact within 24 hours, and coordinate a fix window with you. We credit researchers in our security disclosures unless you ask us not to. We do not run a paid bounty today; legitimate findings receive recognition + swag, and material findings are escalated to founder review for case-by-case compensation.

Security contact

Reach the security team

Email: security@bizrnr.com

PGP key on request. Acknowledge in 4h, scope in 24h.

Frequently asked questions

Are call recordings stored?

Inbound call recordings and transcripts are stored encrypted at rest. Retention defaults to 90 days; Inferno and Enterprise tenants control the window from their dashboard. Recordings are never used to train models without explicit opt-in.

Where is data stored geographically?

Primary application data is stored in US (us-east-1). Edge static assets serve from Vercel + Cloudflare global edge. Voice runtime calls route through US Twilio + US ElevenLabs endpoints by default.

Do you support SSO?

Email + password and Google OAuth ship today. SAML SSO is on the Enterprise roadmap (target 2026 H2) and available earlier under contract.

How do I delete my data?

Cancel your subscription from billing settings; we honor a 30-day grace period (you can self-serve restore inside that window) and then purge tenant-owned data from primary storage. Backups expire on a 35-day rolling window.