Trust Center
Security at OLISE
We are a pre-SOC 2 company building toward enterprise-grade compliance. This page documents what is in place today, what is in progress, and where we rely on our vendors' own certifications.
Data protection
Encryption in transit
All traffic is encrypted with TLS 1.3. Connections that negotiate below TLS 1.2 are rejected.
Encryption at rest
Data at rest is encrypted with AES-256 via Supabase (Postgres) and Vercel (storage and edge). We do not manage raw disks.
OAuth token storage
Third-party access and refresh tokens are encrypted with AES-256-GCM before being written to the database. Postgres never stores plaintext tokens.
Infrastructure
OLISE runs entirely on vendor-managed infrastructure. We do not operate physical servers or data centers.
| Vendor | Role | Certification |
|---|---|---|
| Vercel | Hosting, edge network, CI/CD | SOC 2 Type II, ISO 27001 |
| Supabase | Database (Postgres), authentication, storage | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1 |
| Twilio | Telephony (inbound and outbound calls, SMS) | ISO 27001, SOC 2 Type II, HIPAA eligible |
| Anthropic | Large language model (call AI) | SOC 2 Type II |
| ElevenLabs | Text-to-speech synthesis | SOC 2 Type II |
Compliance status
We are working toward SOC 2 Type II certification. We are targeting audit readiness in Q3 2026. We do not currently hold a SOC 2 report.
A Business Associate Agreement (BAA) is available for customers on the Enterprise tier. Standard and Growth tier accounts are not covered by a BAA.
A Data Processing Agreement (DPA) is available to any customer on request. We act as a data processor for personal data you provide through OLISE.
OLISE does not store, process, or transmit cardholder data. Payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified provider. We are not ourselves PCI certified.
Subprocessors
The following third-party services may process personal data on behalf of OLISE customers.
| Vendor | Purpose | Data location |
|---|---|---|
| Vercel | Application hosting and edge delivery | United States, EU |
| Supabase | Database, authentication, file storage | United States |
| Stripe | Payment processing and billing | United States |
| Twilio | Voice calls and SMS | United States |
| Anthropic | AI language model for call handling | United States |
| ElevenLabs | Text-to-speech voice synthesis | United States |
Incident response
Customer notification
Confirmed security incidents affecting customer data are reported to affected customers within 72 hours of detection, consistent with GDPR Article 33 obligations.
Scope
This commitment applies to incidents within OLISE-controlled systems. Incidents originating from our vendors are subject to their own notification policies.
Security contact
To report a vulnerability or ask a security question, email us at support@olise.ai.
We do not currently publish a PGP key. We respond to all security inquiries within 2 business days.