BABAV

Security — BABAV.CO
Trust

Security, plainly.

What we do to protect your data, your customers' data, and the channel accounts you connect. No badges we don't have, no theater — just the real posture, current as of June 2026.

01 Where everything runs.

BABAV runs on Google Cloud Platform in the us-west1 region. Every component — Cloud Run services, Firestore, Cloud Logging — runs inside one GCP project with IAM-enforced access controls.

  • All traffic is encrypted in transit with TLS 1.3
  • All data at rest is encrypted with AES-256-GCM (Google's default for GCP)
  • Cloud Run containers are stateless and rebuilt on every deploy — no persistent compromise surface
  • Static secrets (API keys, signing keys) live in Google Secret Manager — never in code or environment variables. Per-customer OAuth tokens are AES-256-GCM encrypted and stored in Firestore.
  • The production database (Firestore) has region-restricted access and IAM-enforced read/write per collection
Why GCP, not AWS

Gemini and VEO live on Vertex AI inside GCP. Running the rest of the stack in the same region (us-west1) means zero egress fees, low in-region latency to the model, and one IAM model to reason about. Less surface, fewer cross-cloud headaches.

02 What we store about you.

We collect what we need to operate the platform — nothing speculative, nothing for ad targeting (we don't run ads). Here's the real list:

  • Account info — name, email, company, timezone
  • Billing info — payment method, subscription state, invoice history (all stored in Stripe, we just keep the customer ID)
  • Brand context — your voice notes, knowledge base documents, silence rules, target audience
  • Channel content — incoming DMs/comments/emails on the channels you connect, our replies, and the success/failure of each action (so we can debug and bill you only for successful actions)
  • Lead CRM data — contacts who interact with you, sentiment scores, intent scores, message history
  • OAuth tokens — AES-256-GCM encrypted and stored in Firestore, used only to make API calls on your behalf

We do not store: your end customers' payment methods, their phone numbers (beyond what's needed for WhatsApp), or any third-party content we don't have a legitimate reason to keep.

03 How sign-in works.

Your dashboard uses passwordless magic links with HMAC-signed sessions — no passwords, and no third-party auth provider. We chose this because it eliminates password reuse risk entirely: there's no password to phish, no password to reset, and no password database to breach.

  • Magic links are single-use and expire in 15 minutes
  • Sessions are HMAC-signed and last 7 days, after which you re-link with a fresh magic link
  • Sign out anywhere wipes the session immediately
  • Multi-factor authentication via SMS is on the roadmap — happy to enable it sooner for any customer who needs it

04 Your channel accounts.

When you connect a channel (Threads, Instagram, Facebook, WhatsApp, YouTube, Gmail, Telegram, X, Discord, LinkedIn, Twitch), it works the same way every time:

  • One-click OAuth — you authorize BABAV directly with each network. No passwords ever change hands, and we request only the minimum scopes needed for the features you turn on.
  • Encrypted tokens — the access tokens are encrypted with AES-256-GCM at rest, never written to logs, and used only to run the actions you've enabled. Disconnect a channel and the tokens are wiped within minutes.
Worth saying out loud

You stay in control of every connection. Revoke BABAV's access from your own account settings — or from within BABAV — at any time, instantly. On the Done-for-you plan, an operator works inside your BABAV dashboard on your behalf; you can see what they do and remove access whenever you want.

05 How AI uses your data.

This is the section most teams gloss over. We'll be specific.

  • Gemini 2.5 Flash runs on Vertex AI under Google's enterprise data terms. Per those terms, your prompts and outputs are not used to train Google's models. See Vertex AI's data terms.
  • We do not train our own models on your data. We send your knowledge base and message history to Gemini as context for each individual reply, then discard everything that isn't needed to log the action.
  • VEO video generation works the same way — your prompts go in, video comes out, none of it is used to train future versions.
  • If you cancel, we delete your stored brand context, knowledge base, and message history within 30 days. We keep the minimum required by Stripe + tax law (customer ID, invoice records) for 7 years.

06 When things go wrong.

If we detect a security incident affecting your data:

  • You'll get a direct email from a founder (not a noreply address) within 72 hours of discovery, per GDPR Article 33 timing — even if you're not in the EU
  • The email will tell you what we know, what we don't yet know, what data was affected, and what we're doing about it
  • We'll send a follow-up post-mortem inside 14 days with root cause and the changes we made
  • If your channel tokens are compromised, we revoke them immediately and force re-authentication on your next session

So far: zero incidents. We'll update this section honestly if that ever changes.

07 Compliance posture.

We're early. Here's the honest state of certifications:

  • GDPR + CCPA — compliant by design (data export, deletion, opt-out all available). See our Privacy Policy for details.
  • SOC 2 Type I — in progress, target completion Q4 2026.
  • SOC 2 Type II — Q2 2027 (needs 12 months of operational evidence)
  • HIPAA — not pursued. We don't process protected health information. If you need PHI handling, BABAV isn't the right fit yet.
  • ISO 27001 — not pursued. Re-evaluating once SOC 2 lands.

If you're an enterprise buyer with a specific certification or DPA requirement, email support@babav.co — we'd rather have an honest conversation about what we can sign and what we can't than ghost you.

08 Found something? Tell us.

We don't have a formal bug bounty yet (early-stage, small team). But we take security reports seriously and respond quickly.

  • Email: support@babav.co
  • Response time: we acknowledge inside 24 hours, triage inside 72 hours
  • Coordinated disclosure: we'll work with you on a public disclosure window once the fix is shipped
  • Hall of fame: we'll credit you on this page (with your permission) once a bounty program is live

Questions? Just ask.

If you have a specific security requirement for your team, we'd rather have a direct conversation than send you a 40-page generic doc.

Email support@babav.co →