Security
Security, privacy and compliance posture
Last updated June 23, 2026
Journey Builder is designed for CX consultants and teams that handle customer journey content, stakeholder feedback and operational action plans. This page summarizes the controls currently in place and the readiness work underway for SOC 2 / ISO 27001-style reviews.
Access control
Authentication, workspace membership, role checks and RLS protect customer data.
Auditability
Security, platform and workspace audit streams record sensitive events.
GDPR ready
Self-service export/delete, DPA, subprocessors and privacy docs are available.
Current controls
- EU-hosted application and primary data storage.
- Supabase authentication, row-level security and server-side authorization checks.
- Workspace roles, invitation controls and protected admin surfaces.
- Centralized security audit events for login, exports, DSR and admin access denials.
- GDPR self-service data export and account deletion flows.
- DPA, subprocessors list, privacy policy and cookie controls available publicly.
- CSP, HSTS, no-sniff, frame protection and restrictive permissions policy headers.
- AI provider routing controlled centrally, with Free plan AI disabled.
Audit logging
The platform maintains separate audit streams for workspace actions, platform administration and security/compliance events. Security events include successful login callbacks, login callback failures, admin access denials, journey exports, GDPR exports, account deletion and DSR actions.
Data protection
Data access is scoped by workspace membership and role. Customer content is processed to provide the service, support requested AI operations, generate exports and maintain security evidence.
AI data handling
AI features run only when invoked by a user. Provider routing is centrally controlled, Free workspaces do not receive AI access, and paid AI behavior is governed by the platform policy.
Readiness status
Journey Builder is not currently claiming completed SOC 2 or ISO 27001 certification. The product is being prepared with the evidence, auditability and operating controls required for a formal review.
Incident response
Security and privacy incidents are triaged by severity, with evidence preserved from audit logs, runtime logs and provider telemetry. GDPR-related incidents are routed through the DPO contact path for legal assessment.
Audit retention
Security and administrative audit evidence is retained for a limited period needed for security, fraud prevention, support and compliance accountability, then deleted or pseudonymized where appropriate.