Security & sub-processors
Current sub-processors
Convo uses the following third-party services to provide the platform. Material additions or replacements are notified by email to the institution’s billing contact in advance — typically at least 30 days before the change takes effect.
Hosting: Vercel, Inc. (United States) — application hosting and edge delivery.
Database, storage, auth: Supabase, Inc. (United States) — Postgres database, object storage for generated audio and reference materials, and staff authentication for the admin portal.
AI services: OpenAI, L.L.C. (United States) — script drafting, visitor-question answering, and multilingual text-to-speech for published tours. Convo uses OpenAI under its standard API terms: API data is not used by OpenAI to train its models, and is retained by OpenAI for up to 30 days for abuse monitoring before deletion. Convo does not have OpenAI’s “zero data retention” enterprise endpoint enabled today. Audio generated by OpenAI’s TTS is stored in Convo’s Supabase bucket, not at OpenAI.
Billing: Stripe, Inc. (United States) — subscription billing and payment processing. Card numbers never touch Convo’s servers.
Transactional email: Resend, Inc. (United States) — sign-in passcodes, account notifications, and other operational email to staff and visitors. Recipient email addresses and the email body pass through Resend in the normal course of delivery.
Error monitoring: Sentry, Inc. (United States) — application error reporting for the admin portal. Error reports can include staff user IDs, request paths, and the IP address that triggered the error. No reference materials, scripts, or audio are sent to Sentry.
Marketing-site analytics: Google Analytics 4 (United States) — used on this marketing site only. GA4’s default configuration does not store full visitor IP addresses, and Convo does not join analytics events to any institutional contact record. The visitor tour experience (iOS, web, and admin portal) does not use Google Analytics.
Data residency
All processing happens in the United States today (Vercel and Supabase US-East). EU-region hosting is on the roadmap; we expect to offer it to Enterprise customers as deal volume justifies the dual-region infrastructure. Institutions whose legal teams require EU-region processing as a hard requirement should raise it during procurement so we can confirm timing.
Transport & storage encryption
All traffic between visitors, staff, and Convo is encrypted in transit. Convo’s own application endpoints (the marketing site, admin portal, and visitor tour app) are served over HTTPS via Vercel’s edge, which negotiates TLS 1.2 or higher. Supabase enforces TLS for all Postgres and Storage API connections, also TLS 1.2 or higher per Supabase’s published configuration. Data at rest in Supabase (Postgres + Storage) is encrypted at the storage layer using AWS-managed keys. Database backups are encrypted and retained for 30 days.
Access control
Staff access to the admin portal uses email-based authentication with a one-time passcode (OTP) sent to the staff member’s email; passwords are not used. SSO via SAML or OIDC is on the roadmap for Institution and Enterprise plans; Enterprise customers can request a target date during procurement. Convo employees access production data only when responding to a support request or investigating an incident; all such access is logged.
What Convo doesn’t do with your data
Reference materials, scripts, audio, and visitor interaction data belong to the institution. Convo does not train any AI model on institutional data, does not share it with other institutions, and does not sell it. Data export in plain formats (CSV, MP3, JSON) is available at any time on request.
Audits and questionnaires
Convo is an early-stage company and does not hold a SOC 2 Type II attestation today. A SOC 2 Type II audit is on the roadmap as we move into institutional contracts that require it. For procurement in the meantime, email legal@convo.app and we’ll send our current security questionnaire response.
Reporting a vulnerability
Email legal@convo.app with details. We acknowledge within one business day. We don’t have a formal bug-bounty program yet but will credit researchers who disclose responsibly, and we may offer a thank-you in cash or kind for meaningful findings.