Security & data
ResponZ processes support conversations, which contain personal data. This page explains what we read, where it sits, who can touch it, and how you stay in control.
Principles
- Read-only.ResponZ never writes to your Intercom or GitHub workspace. We can't reply, tag, archive or delete anything.
- Revocable in one click. You disconnect from your workspace settings and we stop receiving data immediately.
- Encrypted at rest and in transit. TLS 1.2+ everywhere, AES-256 on stored data.
- Tenant isolation.Your data is logically partitioned per workspace. No customer can ever query another customer's data.
Data residency
Application and database are hosted in EU regions (Frankfurt / Paris) on Vercel and our managed database provider. No personal data leaves the EU without appropriate safeguards (Standard Contractual Clauses where applicable).
Subprocessors
ResponZ acts as a data processor (GDPR Article 28) for the conversation data we analyze on your behalf. You remain the controller. We rely on the following subprocessors:
- Vercel — application hosting, EU regions.
- Managed Postgres — primary data store, EU region.
- LLM provider — scoring, clustering and gap detection. Zero data retention agreement, no training on customer data.
- Stripe — billing, no access to conversation content.
Good to know
Retention
- Account data — kept for the duration of the contract, deleted within 30 days of termination.
- Conversation analyses — kept according to your workspace setting, capped at the contract duration. Deletion on demand within 30 days.
- Audit and technical logs — 12 months.
- Invoicing data — 10 years (legal accounting requirement).
Audit log
Every API call ResponZ makes to your Intercom or GitHub workspace is logged (metadata only, never the payload). You can browse the log from Settings → Audit log and export it as CSV.
Compliance
- SOC 2 Type II — engagement ongoing.
- ISO 27001 — engagement ongoing.
- GDPR — controller / processor model, DPA available on request.
- CNIL — you can lodge a complaint with the French data protection authority at any time (3 place de Fontenoy, 75007 Paris).