Security & Trust
Answers to the questions brand IT teams actually ask.
We don't require PMS or CRS integration, which means you don't trigger a brand IT review to use DeepBench. Here's how everything else works.
Call consent & two-party recording
DeepBench supports multi-state US consent law out of the box. Every property gets a tested disclosure script for the answering agent, an opt-in flag per phone line, and signed-URL-only audio access internally. For states with two-party consent (CA, FL, IL, MA, MD, MT, NH, NV, PA, WA), the disclosure is built into the TwiML your line ships with.
Data handling
Transcripts and scoring rows live in a tenant-isolated Supabase Postgres database. Every table that holds customer data has Row Level Security turned on. Audio files live in a private storage bucket with short-lived (10-minute) signed URLs. Deletion-on-request is supported; we'll honor it in a reasonable timeframe and confirm completion in writing.
PII
Guest names and phone numbers are redacted from all client-facing UI surfaces — we mask the middle digits of every caller number and never display guest names on dashboard reports. Agent/team-member data is shared only with the tenant that owns it.
SOC 2 / GDPR posture
We are pre-SOC 2 today. Type I scoping is underway; we'll publish the audit partner and timeline here when that contract is signed. Type II is on the roadmap — no committed date yet. GDPR data-subject requests are supported. If you need our current security questionnaire, email security@deepbench.io and we'll send it under NDA.
Brand-standard compatibility
DeepBench does not require PMS, CRS, or property-level IT integration. Because no guest-facing infrastructure is touched, standard deployments typically fall outside the scope of a brand IT review — but we recommend confirming with your brand-ops contact at Marriott, Hilton, Hyatt, IHG, or Accor before rollout. At the Enterprise tier we also ship brand-standards compliance rubrics so your scoring aligns with your flag's QA program.
Consent templates
Every property gets a packet of front-desk disclosure scripts and visual-signage templates to post near the reservation desk. Templates reflect current state-by-state two-party-consent requirements; we recommend your GC review before deployment. You'll find them in your dashboard under Settings › Compliance after onboarding.
SOC 2 · detailed path
Where we are on SOC 2 — in plain text.
We don’t have an audit report to hand you yet. Here’s the exact status, what’s in scope, and when we expect to be able to send one under NDA.
| Stage | Status | Notes |
|---|---|---|
| Trust-service criteria scoped | Complete | Security · Availability · Confidentiality in scope for Type I. |
| Control library drafted | Complete | Mapped to SOC 2 AICPA 2022 framework; access, change mgmt, incident response, vendor review. |
| Audit partner selected | In progress | Two firms in final review. Announcement + timeline published here on signing. |
| Type I report | Target Q3 2026 | Available under NDA on request once issued. |
| Type II report | Target mid-2027 | Requires a 6-month observation window; schedule starts with Type I close. |
If a signed SOC 2 Type II is a contractual requirement for your organization, we’ll say so honestly and point you at incumbents that already hold one. For pilot programs with a 6–12 month horizon, our Type I should arrive in your procurement window.
Data handling · retention + encryption
What we store, how long, and how it’s protected.
Encryption
- In transit
- TLS 1.3 for every client ↔ API hop; HTTPS-only.
- At rest
- AES-256 on Postgres (managed by Supabase) and on object storage (Supabase + Vercel blob).
- Keys
- Rotated on platform cadence; managed by the underlying provider; no customer KMS today.
Retention
- Call audio
- 90 days rolling by default; tenant-configurable down to 30 days on request.
- Transcripts & scoring
- Retained for the life of the subscription; deletable on request.
- Coaching emails / digests
- Stored 12 months for audit trail; redacted archive after that.
- Application logs
- 30 days in hot storage; 180-day cold archive for incident response.
Access
- Writes
- Server-role only; clients cannot insert scoring rows.
- Reads
- Row Level Security on every tenant-scoped table.
- Audio
- Signed URLs, 10-minute TTL, scoped to a single object.
- Internal access
- SSO + 2FA on every admin surface; access logs retained 12 months.
Call-recording compliance · state-by-state
Two-party consent states and what we do about them.
Most US states are one-party consent. A handful require all-party consent — your recording disclosure needs to be audible before the conversation begins. Deep Bench ships a tested disclosure script (audible notice; delay on pickup for IVR coverage) on any line flagged with a two-party state.
| State | Regime | Deep Bench default |
|---|---|---|
| California | Two-party / all-party consent | Audible disclosure script shipped by default; cross-state calls apply CA rules. |
| Florida | Two-party / all-party consent | Audible disclosure; written consent on file for front-desk scan device. |
| Illinois | Two-party / all-party consent | Eavesdropping Act — audible disclosure before recording engages. |
| Maryland | Two-party / all-party consent | Same default as CA / IL — disclosure precedes record. |
| Massachusetts | Two-party / all-party consent | M.G.L. c. 272 § 99 — disclosure + no secret recording. |
| Montana | Two-party / all-party consent | Disclosure required; disclosure script provided for every line. |
| Nevada | Two-party / all-party consent | Interpretation varies — we default to audible disclosure for safety. |
| New Hampshire | Two-party / all-party consent | Disclosure required; same default as CA. |
| Pennsylvania | Two-party / all-party consent | Wiretap Act — audible disclosure + staff training template. |
| Washington | Two-party / all-party consent | Disclosure + announcement; cross-state applies WA rules. |
| Other 40 states + DC | One-party consent | One-party consent; disclosure still ships by default as a best practice. |
This summary is current as of 2026 and reflects our default configuration. State law changes; your General Counsel should confirm before go-live. If a line is cross-state (guest in CA calling a hotel in TX), Deep Bench applies the stricter regime by default.
PII treatment & redaction
What we mask, what we keep, and where each lives.
What we mask by default
- Guest full names and credit-card numbers — never displayed in client-facing UI.
- Middle digits of caller phone numbers in the dashboard (e.g., +1 (503) ••• 0188).
- Email guest names masked in digests ("A guest" instead of "Jane D.").
- Redaction applies to transcripts and scoring artifacts before they land in Postgres.
What we keep, and where
- Staff member name + role — stored because the product is about them, not the guest.
- Raw audio — encrypted in object storage; access only via signed URLs with 10-minute TTL.
- Unredacted transcript only if a drill-down is opened by an authorized tenant user — logged.
- Deletion-on-request supported for any guest data; confirmation returned in writing.
For GDPR / CCPA data-subject requests
Email privacy@deepbench.io. Requests are acknowledged within 5 business days and fulfilled within 30. If the subject is a guest whose call was recorded at one of our hotel customers, we notify the customer tenant as part of the response flow.
The short version
No PMS integration. Tenant-isolated data. Consent-first recording.
If you have a specific question your brand IT team needs answered before you move forward, email security@deepbench.io. We’ll reply within one business day with citations.
- No access to your PMS, CRS, or property-level IT systems.
- All call audio stored in private buckets; access via short-lived signed URLs only.
- Row Level Security enforced on every customer-data table in Postgres.
- Service-role writes only; clients can never insert their own scoring rows.
- Two-party-consent scripts, per-line recording flags, and audit logs for every webhook event.
Still have a question?
Write us at security@deepbench.io. Same-day reply, with citations.