Skip to main content
ReplySequenceReplySequence

Security you can verify

Your transcripts and your inbox are the two most sensitive things you give us. Here's how we protect both.

In plain English

  • No bot joins your meetings. Ever. ReplySequence never connects to Zoom, Teams, or Meet. You paste or upload the transcript — your prospect never sees a recording request or a bot in the lobby.
  • Draft-first — nothing leaves without your approval. Every follow-up surfaces as a draft. You review and hit send. No autonomous agents fire emails at your prospects. This matters for regulated deals — med-device, advisors, lawyers, custom builders signing $500k+ contracts.
  • We never store CRM passwords. HubSpot, Salesforce, and Google Sheets connect via OAuth — RS gets a revocable token, never credentials.
  • Tokens are encrypted at rest with AES-256-GCM. Decrypted only in memory during the send, never logged or written to disk.
  • Transcripts are not used to train AI models. Anthropic is contractually bound to zero data retention on our API calls.
  • Revoke any integration with one click from Dashboard → Settings → Integrations. Token deletion is immediate.
AES-256 at rest
TLS 1.3 in transit
SOC 2 Type II infrastructure
OAuth, narrow scopes
Active

OAuth with narrow scopes

HubSpot, Salesforce, and Google Sheets connect via OAuth 2.0 with the minimum scopes needed to log activity and update fields. No passwords are ever stored, tokens are encrypted at rest, and you can disconnect at any time.

Active

AES-256 encryption at rest

All sensitive data — OAuth tokens, transcripts in-flight, generated drafts — is encrypted with AES-256-GCM, the same standard used by banks and government agencies.

Active

TLS 1.3 in transit

Every request to and from ReplySequence is sent over TLS 1.3. HSTS is enforced with preload so downgrade attacks are not possible.

Active

Transcripts are not stored permanently

Transcripts are processed to generate your draft, then purged on a short retention window. We do not keep a long-term archive of what was said in your meetings, and transcripts are never used to train AI models.

Active

SOC 2 Type II infrastructure

Hosted on Vercel and backed by Supabase (Postgres) — both SOC 2 Type II certified. You inherit that posture through us, with row-level security, automated backups, and point-in-time recovery.

Active

Signed webhooks

All inbound webhooks (Fireflies, Granola, Zapier, Resend) are verified via HMAC-SHA256 signatures. Unsigned or tampered payloads are rejected before they reach the pipeline.

Active

Least-privilege access

Every API endpoint enforces explicit ownership checks. You can only ever see your own meetings, drafts, and sequences — never another user's data, even by ID guessing.

Active

Rate limiting & abuse protection

Public endpoints, webhooks, and onboarding flows are rate-limited. Stripe and Clerk handle payment and auth surfaces so card data and credentials never hit our servers.

How we handle your data

Collection

  • • Only the data we need to draft a follow-up
  • • OAuth tokens encrypted on arrival
  • • We never sell personal data

Processing

  • • AI inference via Anthropic Claude
  • • Transcripts not used for model training
  • • Processed in memory, purged quickly

Deletion

  • • Full data export on request
  • • Account deletion within 30 days
  • • Backups purged after retention window

OAuth scopes we request

The exact permissions shown on the consent screen. Every scope is minimum-necessary — we don't request broad read/write of your mailbox or CRM.

Google (Drive / Sheets)

Write drafts and follow-up logs to a Sheet you pick

  • openid / profile / emailBasic
  • drive.fileNon-sensitive — files RS creates only

HubSpot

Log follow-ups to the contact record, read deal context

  • crm.objects.contacts.read / writeCRM data
  • crm.objects.deals.read / writeCRM data
  • oauthBasic

Salesforce

Log activity, create tasks on contacts / opportunities

  • apiCRM data
  • refresh_tokenSession

Subprocessors

Third-party services involved in delivering the product. Each is under a DPA and reviewed against SOC 2 / ISO posture.

ServicePurposeRegion
SupabasePrimary database (Postgres) + auth storageUS (aws-us-east-2)
VercelApplication hosting + serverless functionsUS + global edge
Anthropic (Claude)AI draft + sequence generationUS
ResendTransactional email deliveryUS
ClerkUser authentication + session managementUS
StripeBilling + payment processingUS + EU
AssemblyAITranscript fallback for video uploads (opt-in)US

List last reviewed 2026-04-23. Contact security@replysequence.com for a signed DPA.

Compliance posture

SOC 2 Type II
Via Supabase & Vercel
Infrastructure inheritance
GDPR
Compliant
EU data protection
CCPA
Compliant
California privacy law
HIPAA
Not in scope
No PHI processed

Full policies

For the long-form details on data use, rights, retention, and terms of service.

Privacy PolicyTerms of Service

Report a vulnerability

Found a security issue? Responsible disclosure is appreciated and acknowledged. Email goes straight to the founder — no triage queue.

security@replysequence.com