Security

How we protect customer accounts and lead data. Questions or a responsible disclosure? security@responsebird.com.

1. Hosting and infrastructure

  • The application is deployed on Vercel, which runs on AWS in US regions. All requests are served over HTTPS with TLS 1.2 or higher; HSTS is enabled.
  • The primary database is Postgres hosted by Supabase. Background workers and webhook handlers run as Supabase Edge Functions (Deno on globally distributed runtimes).
  • Voice calls are placed and received through Vapi; SMS and email follow-ups go through our telephony and email providers. Payment data is handled by DodoPayments — Responsebird never stores full card numbers.

2. Encryption

  • In transit: TLS for every request between browsers, our application, third-party platforms, and edge functions.
  • At rest: Postgres storage is encrypted at rest by Supabase; backup volumes are encrypted with AES-256.
  • Secrets: API keys and webhook signing secrets are stored as platform-managed secrets (Vercel environment variables, Supabase secrets) — never committed to source control. Customer API keys are stored as one-way hashes; the raw value is shown to the customer once at creation.

3. Authentication and access control

  • Customer logins are managed by Supabase Auth: password + email verification, magic-link, and session cookies are scoped SameSite=Lax with a short rotation interval.
  • Multi-account workspaces enforce row-level security (Postgres RLS): every read and write checks that the authenticated user has an active membership on the target account.
  • Server actions and API routes verify the session server-side before performing any privileged operation. Service-role database access is restricted to server code and never exposed to the browser.
  • The service role key, payments key, and provider webhook secrets are accessible only to the founders and rotated when an employee leaves or a leak is suspected.

4. Webhook and integration hardening

  • Every inbound webhook (Thumbtack, Facebook, Yelp, Vapi, DodoPayments, Zapier) verifies a signature, HMAC, or basic-auth credential before processing. Unsigned or invalid requests are rejected with a 4xx.
  • Rate limits are applied to sensitive endpoints — lead import, knowledge-base fetch, and billing portal — keyed per authenticated user.
  • Outbound webhook deliveries from Responsebird are signed; endpoints that fail five times in a row are deactivated and the owner is notified.

5. Application security

  • The codebase is TypeScript end-to-end with strict typing. Dependencies are tracked by pnpm-lock.yaml and updated regularly; CI fails on type or lint errors before deployment.
  • Errors and exceptions are forwarded to Sentry with PII scrubbing. Structured JSON logs from workers and webhook handlers go to the platform log aggregator.
  • A queue-depth monitor runs every 15 minutes and pages our ops email if any job queue backs up, which would otherwise be the first sign of an integration outage or abuse.

6. Lead data, voice recordings, and consent

  • Lead data is processed strictly on behalf of the customer who owns the account; we do not sell it or use it to train shared AI models.
  • Voice call recordings are stored only when the customer's state and business profile allow recording, and are subject to two-party consent rules where required.
  • Customers may request export or deletion of their lead data at any time by writing to privacy@responsebird.com.

7. Incident response

  • We aim to acknowledge any reported security issue within one business day and to provide a status update within five business days while it is being investigated.
  • If a confirmed incident affects customer data, we notify affected account owners directly and as required by applicable law.

8. Compliance roadmap

  • Responsebird is early-stage and not yet SOC 2 certified. A SOC 2 Type I audit is on the roadmap for the next 12 months; we are happy to share our internal control documentation under NDA in the meantime.
  • We will sign a Data Processing Addendum (DPA) on request — write to hello@responsebird.com.

9. Responsible disclosure

If you believe you've found a vulnerability, please email security@responsebird.com with details and steps to reproduce. Do not run automated scans, attempt to access data that doesn't belong to you, or disclose the issue publicly until we've had a chance to fix it. We don't currently run a paid bounty programme but we will publicly credit researchers who report valid issues.

10. Contact

Responsebird, Inc.
Security reports: security@responsebird.com
Privacy questions: privacy@responsebird.com
General contact: hello@responsebird.com