What we do with your data, how it's protected, and what we don't pretend to have.
VR Goals reads from Guesty, PriceLabs, Breezeway, QuickBooks Online, DocuSign, and PandaDoc. That's sensitive data. Here's the posture — claims only where they're true, roadmap where they aren't.
Encryption at rest
LiveAll customer data is encrypted at rest with AES-256 on our production database (Postgres on managed infrastructure).
Encryption in transit
LiveAll traffic between browsers, our API, and partner APIs (Guesty, PriceLabs, Breezeway, QBO, DocuSign, PandaDoc) uses TLS 1.2+.
OAuth-scoped integrations
LiveWe connect to Guesty, QuickBooks Online, DocuSign, and PandaDoc via OAuth — you grant scoped access and revoke it at will. We never store your passwords.
Read-only by default
LiveOur agents read from your systems by default. Every write (a pricing change, a journal entry, a guest message) is gated behind explicit per-action approval or a documented auto-pilot scope you configure.
Audit trail on every agent action
LiveEvery agent decision is logged with inputs, context, and reasoning. Exportable per engagement.
SOC 2 Type II
In progressAudit in progress; report target Q3 2026. Happy to share current controls documentation under NDA.
SSO / SAML
RoadmapMagic-link login today. Okta / Google Workspace SSO on the roadmap for enterprise plans.
- Retention
- Customer operational data retained for the length of the engagement plus 30 days after termination, then deleted unless a legal hold requires otherwise.
- Residency
- All production data is hosted in the US today. Non-US residency available on request for enterprise engagements.
- Production access
- Production data access is limited to founders and named engineers, all under signed confidentiality agreements.
Third parties that process customer data on our behalf. We review and update this list as our stack evolves.
| Vendor | Purpose | Data |
|---|---|---|
| Vercel | Hosting and edge deployment | Request logs, cached responses |
| Resend / Hostinger SMTP | Transactional email | Access-request emails and outbound notifications |
| Google Workspace | Internal email and document collaboration | Internal communications about customer engagements |
- Primary contact
- stevenbrown@bnbventuresco.com
- Target response
- Acknowledgment within 4 business hours; resolution target depends on severity.
- Process
- Triage → customer notification → fix → post-mortem. Post-mortems shared with affected customers.
Need deeper diligence?
Happy to share our control documentation, penetration test results, or SOC 2 progress under NDA.