Built secure. Not bolted-on secure.
What you need to know
You're uploading deal data. That means trust matters. Here's the short version:
- We never store your customers' personal information. Contact names, email addresses and phone numbers from your CRM are stripped before anything reaches our database.
- Your data is stored in the EU. All persistent data is stored on Supabase Cloud in EU West (Ireland). Some data is processed by US-based AI and enrichment providers — see sub-processors below.
- We're ICO registered as a UK Data Controller.
- Every core vendor we use is SOC 2 certified. Supabase, Vercel, Anthropic, OpenAI, Stripe, and all other sub-processors hold SOC 2 Type II certification.
- A Data Processing Agreement (DPA) is automatically in place for all paid subscribers, published at telepath.pro/data-processing-agreement.
If you need the full technical and compliance documentation for your procurement or security team, request it here →.
Privacy by design
We only keep what we need. And we never keep what we shouldn't.
When you connect your CRM or upload a CSV, here's exactly what happens:
What we store:
- Firmographic data — industry, company size, region, deal value, pipeline stage, lead source
- Normalised role data — seniority and function (e.g. “VP-level, Sales function”) — never individual names
- Your sales rep names and performance data (your employees, not your customers)
- The ICP analysis output — the intelligence you're paying for
What we never store:
- Customer contact names or email addresses from your CRM
- Phone numbers, mailing addresses, or any personal contact information
- Raw CSV rows containing personal data — these are stripped server-side before storage
- Full IP addresses — only a one-way hashed, truncated version used for analytics
Our system automatically scans every CSV upload for personal data columns and removes them before processing. You're always notified which columns were removed.
What we write back to your CRM
When you connect HubSpot (or another supported CRM), Telepath Pro creates custom properties on your deal records to deliver scoring and insights directly in your pipeline. Here's exactly what we write:
- telepath_t_score — a numeric score indicating deal-ICP fit
- telepath_t_segment — the ICP segment the deal maps to
- telepath_confidence — how confident the scoring model is (based on data completeness)
- telepath_strengths — what makes this deal a strong fit
- telepath_weaknesses — areas where the deal diverges from your ICP
- telepath_missing_fields — CRM fields that would improve scoring accuracy
- telepath_action — a recommended next step for the deal
We only write to custom properties prefixed with telepath_. We never modify your existing CRM fields, deal stages, or contact records.
CRM permissions we request
When you authorise HubSpot, we request the following OAuth scopes:
- Read access: deals, companies, contacts, deal owners, sales emails, timeline, account info
- Write access: deals and deal schemas (to create and update Telepath custom properties only)
You can revoke access at any time from your HubSpot account settings. Revoking access immediately prevents any further reads or writes.
Encryption, everywhere
| What | How |
|---|---|
| CRM OAuth tokens (e.g. HubSpot) | AES-256-GCM encryption at rest — the same standard used by banks |
| Passwords | bcrypt with cost factor 12 — deliberately slow to prevent brute-force attacks |
| API keys | SHA-256 one-way hash — plaintext shown once and never stored |
| All data in transit | TLS 1.2+ enforced across every connection, HSTS enabled |
| Analytics IP addresses | Salted SHA-256 hash, truncated — not reversible |
Infrastructure & sub-processors
Telepath Pro runs on the same infrastructure trusted by some of the world's largest companies — at a fraction of the cost.
Telepath Pro uses a split architecture. The web application runs on Vercel. Long-running AI analysis pipelines, PDF generation, and data enrichment run on a dedicated VPS hosted by Hostinger in Manchester, UK. Both deployments run the same codebase with the same authentication, encryption, and rate limiting controls.
Core infrastructure
| Layer | Provider | Region | Certification |
|---|---|---|---|
| Database | Supabase Cloud (PostgreSQL) | EU West (Ireland) | SOC 2 Type II |
| Application hosting | Vercel | Global edge, EU origin | SOC 2 Type II |
| Compute processing | Hostinger VPS — United Kingdom (Manchester) | UK | ISO/IEC 27001:2022 |
| Rate limiting & caching | Upstash Redis | EU region | SOC 2 |
| Error monitoring | Sentry | EU region | SOC 2 Type II |
| Logging & observability | Axiom | US | SOC 2 Type II |
AI & analysis
| Purpose | Provider | Region | Certification |
|---|---|---|---|
| Primary AI analysis | Anthropic (Claude) | US | SOC 2 Type II |
| Vector embeddings & fallback AI | OpenAI | US | SOC 2 Type II |
| Secondary fallback AI | Google (Gemini) | US | SOC 2 Type II |
Deal data sent to AI providers is sanitised before transmission: column names are anonymised, only aggregate statistics (means, medians, distributions) are sent, and no customer PII is included. If the primary AI provider is unavailable, we fall back to the next provider automatically to ensure service continuity.
Enrichment
| Purpose | Provider | Region | Data sent |
|---|---|---|---|
| Company enrichment | Apollo.io | US | Company domain names only |
| UK company data | Companies House API | UK | Company name or number |
| Brand data | Brandfetch | US | Company domain names only |
Enrichment providers receive only company domain names or identifiers — never contact-level data, deal values, or any customer PII.
Payments, email & storage
| Purpose | Provider | Certification |
|---|---|---|
| Payment processing | Stripe | PCI DSS Level 1, SOC 2 |
| Email delivery | Resend — EU region | SOC 2 |
| PDF report storage | Google Drive (encrypted) | SOC 2 Type II, ISO 27001 |
Analytics & tracking
| Purpose | Provider | Notes |
|---|---|---|
| Product analytics | PostHog | Pageviews only — session recording and autocapture are disabled |
| Marketing analytics | Google Analytics (GTM) | Consent-gated — only loads if you accept cookies |
| Internal analytics | Custom (self-hosted) | IP addresses are hashed and truncated before storage |
Data residency: All persistent customer data is stored in EU West (Ireland). Data is processed by US-based AI, enrichment, and observability providers as listed above, but is not stored by those providers beyond the duration of the API request. No customer PII is sent to any sub-processor.
Backups: Daily automated backups with point-in-time recovery. 99.9% uptime SLA.
Cookies
We use a minimal set of cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Keeps you logged in | 30 days | Essential (httpOnly, secure) |
| telepath_cookie_consent | Remembers your analytics preference | 1 year | Essential |
| Google Analytics cookies | Marketing analytics | Varies | Optional — only set if you accept |
No tracking cookies are set until you explicitly consent via our cookie banner. You can change your preference at any time.
Compliance
UK GDPR
Telepath Pro is registered with the UK Information Commissioner's Office (ICO) as a Data Controller. Our full legal documentation is publicly available:
Our DPA is automatically incorporated into our Terms of Service for all paid subscribers. Enterprise customers requiring a countersigned DPA for their procurement process can request one here → — we'll turn it around within 5 business days.
Lawful basis
We document the lawful basis for every category of data we collect and process. A full breakdown is available in our DPA and on request.
Right to erasure
You can request complete deletion of your account and all associated data at any time by emailing security@telepath.pro. Deletion is cascading — all data is removed except financial records, which we're required to retain for 7 years.
CRM privacy deletion
If a contact is deleted from HubSpot via a GDPR privacy deletion request, HubSpot automatically notifies Telepath Pro via a signed webhook. We verify the request using HMAC-SHA256 signature validation and cascade-delete all associated data from our systems — no manual action required.
How we keep things secure
Weekly security reviews
Every week, we run an automated security audit across all new code — checking for authentication gaps, input validation, PII handling, and secrets hygiene. Findings are reviewed and actioned the same week.
Prompt injection defence
All data sent to our AI models is wrapped in structured XML tags with explicit instructions to treat user content as data only — never as instructions. Every AI response is validated against a strict schema before use.
Rate limiting
All endpoints are rate-limited using Upstash Redis with sliding window algorithms. Limits are applied at multiple levels — per IP, per email, and globally — to protect both your data and our infrastructure from abuse.
Server hardening
Our compute infrastructure is protected by a dual-layer firewall — a network-level firewall at the hosting provider plus UFW at the operating system level. Both are configured to allow only three ports: SSH (rate-limited), HTTP, and HTTPS. Default policy is deny-all on inbound traffic. All application traffic is routed through Traefik reverse proxy which handles TLS termination and request routing. No application ports are directly exposed to the internet.
Monitoring
UptimeRobot checks the platform every 5 minutes. Sentry monitors application errors in real time across 13 critical points in the system. Axiom provides structured logging across all API routes. Our team is alerted immediately if anything goes wrong.
Where we're headed
We're transparent about where we are and where we're going.
| Milestone | Action |
|---|---|
| Now | ICO registered, GDPR compliant, DPA in place, SOC 2 infrastructure throughout |
| First enterprise customer | Cyber Essentials self-assessment certification |
| £10k MRR | External penetration test by CREST-certified tester |
| £50k MRR | SOC 2 Type II assessment (if enterprise pipeline requires it) |
We don't pretend to be a 500-person enterprise with a dedicated security team. What we do have is a security-first architecture, documented practices, and a clear roadmap — and we're happy to talk through any of it.
Need full documentation?
If your procurement or IT team needs our complete Architecture & Security document — covering our full tech stack, encryption specifications, database schema, incident response runbooks, and sub-processor details — we're happy to share it.
Request security documentation →
Or email directly: security@telepath.pro
We typically respond within one business day.