Skip to main content
Coldread

Security

Last updated: 8 February 2026

Coldread is designed with security and privacy as foundational principles. We handle sensitive sales call data and take that responsibility seriously.

Encryption

  • All data in transit encrypted via TLS 1.2+
  • Database encrypted at rest (AES-256) via Supabase/AWS
  • Audio recordings encrypted at rest in Cloudflare R2
  • Stripe handles payment data — never touches our servers

Authentication & Access Control

  • Authentication via Clerk (SOC 2 Type II certified)
  • Organization-level data isolation — teams only see their own data
  • Role-based access control for team members
  • Webhook endpoints verified via HMAC signatures or token validation

Infrastructure

  • Hosted on Vercel (SOC 2 Type II, ISO 27001)
  • Database on Supabase (SOC 2 Type II, hosted on AWS)
  • Audio storage on Cloudflare R2 (SOC 2 Type II)
  • Background processing via Inngest (SOC 2 Type II)
  • No self-managed servers — fully managed infrastructure

AI Data Handling

  • Call transcripts sent to AI for analysis — audio is never sent
  • ElevenLabs processes audio for transcription and discards it
  • AI providers (Google/Gemini) do not retain or train on your data
  • API access via OpenRouter — no persistent storage of prompts or responses

Compliance

  • GDPR-ready — Data Processing Agreement (DPA) available on request
  • Sub-processor list maintained and updated (see /legal/sub-processors)
  • Standard Contractual Clauses (SCCs) for international transfers
  • UK IDTA addendum for UK-to-US transfers
  • Right to erasure supported via data deletion endpoint

Data Retention & Deletion

  • Call recordings retained for your subscription period + 30 days
  • Account data deleted 30 days after account termination
  • Data deletion requests processed within 30 days (GDPR Article 17)
  • Cascade deletion: removing an account removes all calls, contacts, and recordings
  • Request deletion at privacy@coldread.ai

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@coldread.ai. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities until we have had a chance to address them.

Questions

For security questions or to request our Data Processing Agreement (DPA), contact security@coldread.ai or privacy@coldread.ai.

Related Documents