Built to handle real customer data
Utility bills carry account numbers, service addresses, and consumption history. We treat that data the way your security team would.
Encryption
AES-256 at rest, TLS 1.2+ in transit. Per-tenant encryption keys. PDFs purged on configurable retention windows.
SOC 2 controls
Access reviews, change management, vendor risk, incident response, and continuous monitoring aligned to SOC 2 Type II.
Access controls
Least-privilege staff access, SSO/SAML for enterprise customers, audit logs for every admin action.
Data residency
US (us-east), EU (eu-west), and AU (ap-southeast) regions. Your data never leaves the region you choose.
Retention
Default 30-day PDF retention. Configurable down to 24 hours or up to 7 years for compliance archives.
GDPR-aligned
DPA available on request. Data subject requests handled within 30 days. Sub-processors disclosed and reviewed annually.
Who touches your data
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare | Edge compute, CDN, DDoS | Global |
| Supabase (AWS) | Database, storage | us-east, eu-west, ap-southeast |
| OpenAI / Google AI | Vision model fallback (opt-in) | us-east |
| Brevo | Transactional email | EU |
| Paddle | Payments, MoR | EU/US |
Need a vendor questionnaire?
We respond to security questionnaires (SIG, CAIQ, custom) within 5 business days. DPA, sub-processor list, penetration test summary, and SOC 2 report (under NDA) available for enterprise customers.