Security & Trust

Answers to the questions brand IT teams actually ask.

We don't require PMS or CRS integration, which means you don't trigger a brand IT review to use DeepBench. Here's how everything else works.

Server infrastructure close-up

Call consent & two-party recording

DeepBench supports multi-state US consent law out of the box. Every property gets a tested disclosure script for the answering agent, an opt-in flag per phone line, and signed-URL-only audio access internally. For states with two-party consent (CA, FL, IL, MA, MD, MT, NH, NV, PA, WA), the disclosure is built into the TwiML your line ships with.

Data handling

Transcripts and scoring rows live in a tenant-isolated Supabase Postgres database. Every table that holds customer data has Row Level Security turned on. Audio files live in a private storage bucket with short-lived (10-minute) signed URLs. Deletion-on-request is supported; we'll honor it in a reasonable timeframe and confirm completion in writing.

PII

Guest names and phone numbers are redacted from all client-facing UI surfaces — we mask the middle digits of every caller number and never display guest names on dashboard reports. Agent/team-member data is shared only with the tenant that owns it.

SOC 2 / GDPR posture

We are pre-SOC 2 today. Type I scoping is underway; we'll publish the audit partner and timeline here when that contract is signed. Type II is on the roadmap — no committed date yet. GDPR data-subject requests are supported. If you need our current security questionnaire, email security@deepbench.io and we'll send it under NDA.

Brand-standard compatibility

DeepBench does not require PMS, CRS, or property-level IT integration. Because no guest-facing infrastructure is touched, standard deployments typically fall outside the scope of a brand IT review — but we recommend confirming with your brand-ops contact at Marriott, Hilton, Hyatt, IHG, or Accor before rollout. At the Enterprise tier we also ship brand-standards compliance rubrics so your scoring aligns with your flag's QA program.

Consent templates

Every property gets a packet of front-desk disclosure scripts and visual-signage templates to post near the reservation desk. Templates reflect current state-by-state two-party-consent requirements; we recommend your GC review before deployment. You'll find them in your dashboard under Settings › Compliance after onboarding.

The short version

No PMS integration. Tenant-isolated data. Consent-first recording.

If you have a specific question your brand IT team needs answered before you move forward, email security@deepbench.io. We’ll reply within one business day with citations.

  • No access to your PMS, CRS, or property-level IT systems.
  • All call audio stored in private buckets; access via short-lived signed URLs only.
  • Row Level Security enforced on every customer-data table in Postgres.
  • Service-role writes only; clients can never insert their own scoring rows.
  • Two-party-consent scripts, per-line recording flags, and audit logs for every webhook event.

Still have a question?

Write us at security@deepbench.io. Same-day reply, with citations.

Run a Free Scan →Talk to the Founder →