01 Where everything runs.

BABAV runs on Google Cloud Platform in the us-central1 region. Every component — Cloud Run services, Firebase Auth, Firestore (planned), Cloud Logging — is inside the same GCP project (babav-crm) with Identity-Aware Proxy and IAM controls.

• All traffic is encrypted in transit with TLS 1.3
• All data at rest is encrypted with AES-256-GCM (Google's default for GCP)
• Cloud Run containers are stateless and rebuilt on every deploy — no persistent compromise surface
• Secrets (API keys, OAuth tokens) live in Google Secret Manager, not in code or environment variables
• Production database (Firestore, when wired) has region-restricted access and IAM-enforced read/write per collection

02 What we store about you.

We collect what we need to operate the platform — nothing speculative, nothing for ad targeting (we don't run ads). Here's the real list:

• Account info — name, email, company, timezone
• Billing info — payment method, subscription state, invoice history (all stored in Stripe, we just keep the customer ID)
• Brand context — your voice notes, knowledge base documents, silence rules, target audience
• Channel content — incoming DMs/comments/emails on the channels you connect, our replies, and the success/failure of each action (so we can debug and bill you only for successful actions)
• Lead CRM data — contacts who interact with you, sentiment scores, intent scores, message history
• OAuth tokens — encrypted, in Google Secret Manager, used only to make API calls on your behalf

We do not store: your end customers' payment methods, their phone numbers (beyond what's needed for WhatsApp), or any third-party content we don't have a legitimate reason to keep.

03 How sign-in works.

Your dashboard uses Firebase Authentication with passwordless magic links by default. We chose this because it eliminates password reuse risk entirely — there's no password to phish, no password to reset, no password database to breach.

• Magic links are single-use and expire in 1 hour
• Sessions persist for 60 days of inactivity by default — we won't make you re-link every visit
• Sign out anywhere wipes the session immediately
• Google sign-in is also available as a secondary option
• Multi-factor authentication via SMS is on the roadmap for Q3 — happy to enable it sooner for any customer who needs it

04 Your channel accounts.

When you connect a channel (Threads, Instagram, Facebook, WhatsApp, YouTube, Gmail), one of two things happens depending on your plan:

• Done For You (default) — you add a BABAV team member as a manager/collaborator on your channel account. You can revoke access from your account settings any time, instantly, without us doing anything. No tokens leave your side.
• OAuth (coming soon) — for customers who'd rather not add managers, we'll request the minimum OAuth scopes needed for the features you use. Tokens are stored encrypted in Google Secret Manager and we never write them to logs.

05 How AI uses your data.

This is the section most teams gloss over. We'll be specific.

• Gemini 2.5 Flash runs on Vertex AI under Google's enterprise data terms. Per those terms, your prompts and outputs are not used to train Google's models. See Vertex AI's data terms.
• We do not train our own models on your data. We send your knowledge base and message history to Gemini as context for each individual reply, then discard everything that isn't needed to log the action.
• VEO video generation works the same way — your prompts go in, video comes out, none of it is used to train future versions.
• If you cancel, we delete your stored brand context, knowledge base, and message history within 30 days. We keep the minimum required by Stripe + tax law (customer ID, invoice records) for 7 years.

06 When things go wrong.

If we detect a security incident affecting your data:

• You'll get a direct email from a founder (not a noreply address) within 72 hours of discovery, per GDPR Article 33 timing — even if you're not in the EU
• The email will tell you what we know, what we don't yet know, what data was affected, and what we're doing about it
• We'll send a follow-up post-mortem inside 14 days with root cause and the changes we made
• If your channel tokens are compromised, we revoke them immediately and force re-authentication on your next session

So far: zero incidents. We'll update this section honestly if that ever changes.

07 Compliance posture.

We're early. Here's the honest state of certifications:

• GDPR + CCPA — compliant by design (data export, deletion, opt-out all available). See our Privacy Policy for details.
• SOC 2 Type I — in progress, target completion Q4 2026. Audit firm engaged.
• SOC 2 Type II — Q2 2027 (needs 12 months of operational evidence)
• HIPAA — not pursued. We don't process protected health information. If you need PHI handling, BABAV isn't the right fit yet.
• ISO 27001 — not pursued. Re-evaluating once SOC 2 lands.

If you're an enterprise buyer with a specific certification or DPA requirement, email support@babav.co — we'd rather have an honest conversation about what we can sign and what we can't than ghost you.

08 Found something? Tell us.

We don't have a formal bug bounty yet (early-stage, small team). But we take security reports seriously and respond quickly.

• Email: support@babav.co
• Response time: we acknowledge inside 24 hours, triage inside 72 hours
• Coordinated disclosure: we'll work with you on a public disclosure window once the fix is shipped
• Hall of fame: we'll credit you on this page (with your permission) once a bounty program is live