LEGAL

Security & sub-processors

LAST UPDATED · MAY 25, 2026
PLACEHOLDER COPY
Convo is an early-stage company. This page lists what we use today, plainly. A SOC 2 Type II audit is on the roadmap as we move into institutional contracts that require it; if you need an interim attestation now, email legal@convo.app and we’ll send our current security questionnaire response.

Current sub-processors

Convo uses the following third-party services to provide the platform. Material additions or replacements are notified by email to the institution’s billing contact at least 30 days before the change takes effect.

Hosting: Vercel, Inc. (United States) — application hosting and edge delivery.

Database, storage, auth: Supabase, Inc. (United States) — Postgres database, object storage for generated audio and reference materials, and staff authentication for the admin portal.

AI services: OpenAI, L.L.C. (United States) — script drafting and visitor-question answering. Convo configures its OpenAI usage with the “zero data retention” / “no training” enterprise terms; prompts and responses are not retained by OpenAI beyond the request, and no Convo customer data is used to train models.

Voice synthesis: ElevenLabs Inc. (United States) — multilingual text-to-speech for published tours. Generated audio is stored in Supabase, not at ElevenLabs.

Billing: Stripe, Inc. (United States) — subscription billing and payment processing. Card numbers never touch Convo’s servers.

Analytics: Google Analytics 4 (United States) — anonymized website analytics for the marketing site only. The visitor tour experience does not use Google Analytics.

Data residency

Default processing region is United States (Vercel + Supabase US-East). Institutions whose legal teams require EU-region hosting can request deployment to EU-Central (Frankfurt) at contract signing; that includes Vercel’s EU edge and an EU-region Supabase project. There is no additional fee for EU hosting on Studio, Institution, or Enterprise plans.

Transport & storage encryption

All traffic between visitors, staff, and Convo is encrypted with TLS 1.2 or higher. All data at rest in Supabase and Vercel Blob is encrypted at the storage layer. Backups are encrypted with separate keys and held for 30 days.

Access control

Staff access to the admin portal uses email-based authentication with magic links by default. SSO via SAML or OIDC is available on Institution and Enterprise plans. Convo employees access production data only when responding to a support request or investigating an incident; all such access is logged.

What Convo doesn’t do with your data

Reference materials, scripts, audio, and visitor interaction data belong to the institution. Convo does not train any AI model on institutional data, does not share it with other institutions, and does not sell it. Data export in plain formats (CSV, MP3, JSON) is available at any time on request.

Reporting a vulnerability

Email legal@convo.app with details. We acknowledge within one business day. We don’t have a formal bug-bounty program yet but will credit researchers who disclose responsibly, and we may offer a thank-you in cash or kind for meaningful findings.

QUESTIONS?

Write to legal directly.