Trust & Security
Effective June 30, 2026
1. How we protect your data
Encryption at rest. Salesforce OAuth refresh tokens, Connected App client secrets, and PM-integration credentials are encrypted with AES-256-GCM in our Postgres database. Ciphertext carries a key-version prefix so we can rotate the master key without downtime.
Encryption in transit. All Deplo endpoints enforce TLS 1.2+. HSTS is set with a two-year max-age and includeSubDomains. The Chrome extension talks to the backend over HTTPS only.
Authentication. Access tokens are HS256-signed JWTs with a 30-minute TTL; the algorithm is pinned on every verify call to prevent alg-confusion attacks. Refresh tokens are stored as SHA-256 hashes server-side and rotate on every use (replay-resistant).
Read-only by default. Deplo's Salesforce OAuth scopes are read-only for every customer at signup. Write access (Records Doctor) requires three independent opt-ins: a server-wide flag, a workspace setting, and a per-org toggle. Production writes are additionally gated until our extended rollback-test program completes.
Audit logging. Every Records Doctor execution, every share-link view, every billing change, every org connect/disconnect is logged with actor, timestamp, before/after state, and rollback plan where applicable.
Tenant isolation. Every customer-scoped table (orgs, analyses, investigate_runs, repair_proposals, monitoring snapshots) is constrained to workspace_id NOT NULL and filtered on every read. No cross-tenant data path exists in code.
2. Anthropic (our AI provider)
Deplo calls Anthropic's Claude API for explanation, investigation, and proposal generation. Three guarantees:
- Zero retention. We operate under Anthropic's commercial API terms, which state that API inputs and outputs are not used to train Anthropic's models and are retained only for the period needed to operate the service (typically 30 days for abuse monitoring, then deleted). We do not enable any "training" or "extended context" features.
- No bulk record export. Records Doctor prompts include only the targeted record's current values for the fields involved in the proposed repair: never the full record, never other records, never bulk SOQL output.
- Prompt injection defenses. All customer-supplied content sent to Claude (ticket bodies, formulas, free-form Investigate inputs) is wrapped in safety tags that the model is instructed to treat as data, not instructions.
3. Subprocessors
Deplo uses the following subprocessors. We notify customers in advance of any material change to this list (30 days' notice for additions that receive customer data).
- Anthropic, PBC (San Francisco, CA): Claude API for AI-generated content.
- Supabase, Inc. (Postgres database; AWS-hosted, US-East).
- Render, Inc. (Backend hosting; AWS-hosted, US-East).
- Vercel, Inc. (Frontend + static assets; AWS-hosted, multi-region edge).
- Stripe, Inc. (Billing + payment processing; PCI-DSS Level 1).
- Resend, Inc. (Transactional email: password reset, invites, alerts).
- PostHog, Inc. (Product analytics: events only, no Salesforce data).
- Sentry, Inc. (Error tracking: stack traces only, no Salesforce data).
Slack, Jira, Linear, and ServiceNow are integrations the customer optionally connects, not subprocessors of Deplo. Data flowing to those tools is at the customer's direction.
4. Compliance posture
SOC 2: not yet. Deplo is a single-operator company at launch scale, and we would rather say so than imply an audit that hasn't happened. The roadmap, in order: our published security questionnaire (no NDA required), an independent penetration test, then SOC 2 as revenue justifies it. Our AI provider carries its own attestations: Anthropic publishes SOC 2 Type II and ISO 27001 at trust.anthropic.com.
GDPR. We act as a data processor for EU customer accounts; the customer is the data controller. Our standard DPA template is public; signed copies are executed per-customer. Request one at security@getdeplo.com.
HIPAA. Deplo is not currently a HIPAA-covered entity or business associate. Do not connect Salesforce orgs containing ePHI.
Data residency. All primary data is stored in US-East (Supabase + Render). EU-only data residency is a Custom-tier feature on roadmap.
5. Incident response
We monitor every backend endpoint via Sentry + per-endpoint metrics. Critical findings (auth bypass, data exposure, billing miscalculation) alert the operator immediately. Customer-impacting incidents are communicated by direct email to affected accounts within 24 hours of detection.
6. Responsible disclosure
Found a security issue? Please email security@getdeplo.com with a description, reproduction steps, and your preferred contact method. We aim to acknowledge within 24 hours and triage within 72 hours. We do not currently run a paid bug-bounty program, but we publicly credit reporters who request it.
Out-of-scope: rate-limit-based DoS, version-disclosure on /health, missing low-severity HTTP headers (we set CSP, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy already).
7. Account deletion
You can delete your Deplo account at any time by emailing hello@getdeplo.com. We delete account data within 30 days of confirmed deletion, except for billing records (retained 7 years for tax compliance) and audit logs of past Records Doctor executions (retained for the deletion period only, then purged).
8. Contact
General questions: hello@getdeplo.com. Security reports: security@getdeplo.com. DPA + security questionnaire requests: include "DPA" or "security review" in the subject.