Built secure. Not bolted-on secure.
What you need to know
You're uploading deal data. That means trust matters. Here's the short version:
- We never store your customers' personal information. Contact names, email addresses and phone numbers from your CRM are stripped before anything reaches our database.
- Your data stays in the EU. All data is stored on Supabase Cloud in EU West (Ireland).
- We're ICO registered as a UK Data Controller.
- Every vendor we use is SOC 2 certified. Supabase, Vercel, Anthropic, Stripe, and all other sub-processors hold SOC 2 Type II certification.
- A Data Processing Agreement (DPA) is automatically in place for all paid subscribers, published at telepath.pro/data-processing-agreement.
If you need the full technical and compliance documentation for your procurement or security team, request it here →.
Privacy by design
We only keep what we need. And we never keep what we shouldn't.
When you connect your CRM or upload a CSV, here's exactly what happens:
What we store:
- Firmographic data — industry, company size, region, deal value, pipeline stage, lead source
- Normalised role data — seniority and function (e.g. “VP-level, Sales function”) — never individual names
- Your sales rep names and performance data (your employees, not your customers)
- The ICP analysis output — the intelligence you're paying for
What we never store:
- Customer contact names or email addresses from your CRM
- Phone numbers, mailing addresses, or any personal contact information
- Raw CSV rows containing personal data — these are stripped server-side before storage
- Deal names that reference specific individuals
- Full IP addresses — only a one-way hashed, truncated version used for analytics
Our system automatically scans every CSV upload for personal data columns and removes them before processing. You're always notified which columns were removed.
Encryption, everywhere
| What | How |
|---|---|
| CRM OAuth tokens (e.g. HubSpot) | AES-256-GCM encryption at rest — the same standard used by banks |
| Passwords | bcrypt with cost factor 12 — deliberately slow to prevent brute-force attacks |
| API keys | SHA-256 one-way hash — plaintext shown once and never stored |
| All data in transit | TLS 1.2+ enforced across every connection, HSTS enabled |
| Analytics IP addresses | Salted SHA-256 hash, truncated — not reversible |
Enterprise-grade infrastructure
Telepath Pro runs on the same infrastructure trusted by some of the world's largest companies — at a fraction of the cost.
| Layer | Provider | Certification |
|---|---|---|
| Database | Supabase Cloud — EU West Ireland | SOC 2 Type II |
| Application hosting | Vercel | SOC 2 Type II |
| AI analysis | Anthropic (Claude) | SOC 2 Type II |
| Vector embeddings | OpenAI | SOC 2 Type II |
| Payment processing | Stripe | PCI DSS Level 1, SOC 2 |
| Email delivery | Resend — EU region | SOC 2 |
| Rate limiting | Upstash Redis — EU region | SOC 2 |
| Error monitoring | Sentry — EU region | SOC 2 Type II |
Data residency: All customer data is stored in EU West (Ireland). It does not leave the EU.
Backups: Daily automated backups with point-in-time recovery. 99.9% uptime SLA.
Compliance
UK GDPR
Telepath Pro is registered with the UK Information Commissioner's Office (ICO) as a Data Controller. Our full legal documentation is publicly available:
Our DPA is automatically incorporated into our Terms of Service for all paid subscribers. Enterprise customers requiring a countersigned DPA for their procurement process can request one here → — we'll turn it around within 5 business days.
Lawful basis
We document the lawful basis for every category of data we collect and process. A full breakdown is available in our DPA and on request.
Right to erasure
You can request complete deletion of your account and all associated data at any time by emailing security@telepath.pro. Deletion is cascading — all data is removed except financial records, which we're required to retain for 7 years.
How we keep things secure
Weekly security reviews
Every week, we run an automated security audit across all new code — checking for authentication gaps, input validation, PII handling, and secrets hygiene. Findings are reviewed and actioned the same week.
Prompt injection defence
All data sent to our AI models is wrapped in structured XML tags with explicit instructions to treat user content as data only — never as instructions. Every AI response is validated against a strict schema before use.
Rate limiting
All endpoints are rate-limited using Upstash Redis with sliding window algorithms. This protects both your data and our infrastructure from abuse.
Monitoring
UptimeRobot checks the platform every 5 minutes. Sentry monitors application errors in real time across 13 critical points in the system. Our team is alerted immediately if anything goes wrong.
Where we're headed
We're transparent about where we are and where we're going.
| Milestone | Action |
|---|---|
| Now | ICO registered, GDPR compliant, DPA in place, SOC 2 infrastructure throughout |
| First enterprise customer | Cyber Essentials self-assessment certification |
| £10k MRR | External penetration test by CREST-certified tester |
| £50k MRR | SOC 2 Type II assessment (if enterprise pipeline requires it) |
We don't pretend to be a 500-person enterprise with a dedicated security team. What we do have is a security-first architecture, documented practices, and a clear roadmap — and we're happy to talk through any of it.
Need full documentation?
If your procurement or IT team needs our complete Architecture & Security document — covering our full tech stack, encryption specifications, database schema, incident response runbooks, and sub-processor details — we're happy to share it.
Request security documentation →
Or email directly: security@telepath.pro
We typically respond within one business day.