Compliance posture
How we approach data residency, retention, regulatory frameworks, and the data we deliberately don't collect or store.
See the Trust Center for security controls and the Data Processing Addendum for the legal contract.
Vercel + Supabase US regions. EU data residency available on request for enterprise.
Auditor engaged. Attestation targeted within 6 months of SPAR approval. SOC 2-aligned controls already operating today.
Data isolation per tenant
For franchise networks specifically: every franchise location is a separate tenant. One franchise's data (leads, calls, claims, photos, financial records) is never visible to another, even if both belong to the same parent corporation, unless the parent is granted explicit read-only network-roll-up access.
Postgres Row-Level Security policies on every tenant-owned table. A franchise admin querying via the API cannot retrieve another franchise's records.
Keys can be issued at the franchise (operational) level, parent-corp (read-only roll-up) level, or integration-partner (specific resource) level.
Every state-changing action is logged within the tenant scope. Parent-corp roll-up audit access is opt-in by each franchise.
AI prompt context is constructed from a single tenant's data per request. There is no shared "network knowledge base" that mixes franchise data.
What we deliberately don't store
The most defensible security posture is the data you never collect. Here's what we keep out of the platform.
Sensitive claim data long-term
Insurance claim photos, scope items, and structured documentation default to 90-day retention. Customers can configure shorter windows or trigger early deletion at any time.
Payment card data
We do not capture or process credit card numbers. All billing flows route through PCI-compliant payment processors (e.g., Stripe).
Protected health information (PHI)
We do not currently process PHI. Customers must not upload PHI without a separate HIPAA Business Associate Agreement (BAA), which we will execute for qualifying enterprise customers on request.
Government-issued IDs or biometric data
We do not collect, store, or process driver's licenses, passports, social security numbers, or biometric identifiers in the platform's primary product surface.
Tenant data inside model training datasets
We do not use any tenant data (prompts, outputs, recordings, transcripts, photos, or structured records) to train, fine-tune, or improve AI models. This is enforced contractually with our AI subprocessors.
Insurance and claims posture
We do not write to Xactimate, XactAnalysis, Symbility WorkSpace, DASH/MICA, or any carrier portal. We do not directly manage claim records of record. Our Insurance Documentation Assist generates structured inputs (scope items, photo summaries, room dimensions) that authorized human team members enter or upload through the existing approved tools.
This design choice keeps us outside of regulated systems-of-record while still delivering meaningful efficiency improvements. It also means franchise teams retain full control and accountability for what enters their carrier-facing systems.
GDPR / CCPA / CPRA data subject rights
We honor these rights for every customer and end user, regardless of jurisdiction. Standard 30-day SLA on requests; expedited handling available for verified urgent matters.
Right to access
Customers and authorized end users can request a complete export of their data via the dashboard or by emailing info@expertailabs.com. Exports return within 30 days, JSON format.
Right to erasure
Submit a deletion request via the dashboard, API, or email. We complete erasure within 30 days, with confirmation. Audit-log records of administrative actions are retained for 7 years per regulatory requirements but contain no personal data beyond actor identifiers.
Right to rectification
Tenant administrators can edit, correct, or update any record they own through the dashboard or API. End-user-initiated rectification requests are honored within 30 days.
Right to data portability
All exports are provided in machine-readable JSON. Standard relational schemas allow import into other CRMs or operational systems.
Right to object / restrict processing
Customers can pause or restrict specific processing categories (e.g., AI-assisted features) via per-tenant settings without losing access to the platform.
Submit a data subject request
Email us with your request. We acknowledge within 5 business days.
Doing vendor diligence on us?
Pull our DPA, send us your security questionnaire, or schedule a 30-minute review. We respond to questionnaires within 5 business days.