Security & Trust

Last updated: June 2026

We take the security of your data and your customers' data seriously. This page summarises our posture; a full security overview, sub-processor list, and Data Processing Agreement (DPA) are available on request at hello@founderexecute.com.

Certifications & roadmap

SOC 2 Type II — in progress. We are implementing the controls for a SOC 2 Type II examination and can share our current control documentation and timeline under NDA. We are not yet certified, and we'd rather tell you that plainly than imply otherwise.

How we protect data

Data is encrypted in transit (TLS) and at rest. Access is least-privilege and tenant-isolated — each workspace's data is scoped to that tenant. Credentials and API keys are held in managed secret storage, never in source code. You connect your own provider credentials (e.g. Twilio, email) and can revoke them at any time.

Sub-processors

We rely on a small set of vetted providers, each processing data only as needed to deliver the service:

  • OpenAI — AI models (call reasoning + transcription)
  • Twilio — telephony (voice + SMS)
  • Supabase — application database (Postgres)
  • Railway — backend / voice-gateway hosting
  • Vercel — web app + API hosting
  • Resend — transactional email
  • Stripe — payments
  • Google — calendar (when you connect it)

The current list with entity details and locations is provided in our DPA on request.

Data retention

Call transcripts and related records are retained for a configurable window per agent and then automatically redacted — anonymous metadata (timestamps, duration, status) is kept for reporting, while transcript content, summaries and any recordings are removed. Lead lists are used only to run the campaigns you instruct and are deleted or returned at the end of an engagement unless retention is legally required.

Calling compliance

Our calling is built around consent: opted-in leads only, do-not-call scrubbing, a spoken AI-disclosure at the start of each call, and permitted calling hours. Recording behaviour and consent handling are configurable to match your jurisdiction (for example one-party vs. two-party consent).

Reporting an issue

Found a vulnerability? Email hello@founderexecute.com and we'll respond promptly. We do not take legal action against good-faith security research.