Security & data handling

Pre-launch — last reviewed 2026-05-06. This page describes how BITRAGE.AI handles your business, customer, and financial data. We update this when our handling changes.

Single-line summary: Your data lives in your accounts (your Stripe, your Wave, your Google Workspace, your Retell sub-account). BITRAGE.AI has operational access while you're a customer; cancel and that access flips off. The data stays yours.

Where your data actually lives

Payments + invoices: Stripe, in your Stripe account. We never see card numbers — Stripe handles them. Your tax-compliant invoices live in Stripe billing.
Books-of-record: Wave Accounting, in your Wave account. Daily Stripe → Wave revenue export keeps the books current within 24 hours.
Customer database: Supabase Postgres, in our project, gated by Row-Level Security. Anonymous + authenticated PostgREST roles have ZERO policies — only the service-role key reads PII. A leaked anon key cannot dump customer data.
Email + receptionist calls: ZeptoMail (transactional email) and Retell (voice receptionist), each in your sub-account so call recordings + email logs belong to you.
Site & agent code: Cloudflare Pages — global edge, HTTPS-only, no origin server to compromise.

What's gated and how

RLS on every PII table: intake_leads, customers, customer_users, customer_subscriptions, customer_sessions, customer_messages, stripe_webhook_events. Service-role-only ALL policy. Documented in migration 047_enable_rls.sql.
Magic-link auth for the customer portal: 7-day TTL, one-shot tokens. Self-serve resend rate-limited 3-per-hour-per-IP and 5-per-hour-per-email.
Rate limits on every public endpoint: /api/stripe-checkout (5/5min/IP), pack-* AI agents (30/min/IP), portal-resend-invite (3/hr/IP). Card-testing fraud + Anthropic-bill DDoS are throttled at the edge.
Stripe webhook idempotency: Every event_id has primary-key uniqueness so Stripe retries can't double-process.

What we have access to and what we don't

While you're a customer: BITRAGE.AI has operational access to your Wave, Stripe-customer view, ZeptoMail, Retell, Google Business Profile — same as if you'd hired a human bookkeeper.
You always own the master credentials. We work via delegated/staff access where possible. You can revoke us at any time.
When you cancel: access is removed within 24 hours. The data stays in your accounts. Customer database (Supabase) export is provided on request via NATRIX.
What we never have: your bank login, your CRA login, your customer card numbers. Those are with the actual banks and Stripe respectively.

Encryption + transport

HTTPS-only via Cloudflare. HSTS preloaded. TLS 1.3.
Database connections to Supabase are TLS-only.
Email (ZeptoMail) uses opportunistic TLS to recipient mail servers.
Customer session tokens are 64-byte random; password hashes use PBKDF2 (SHA-256, 100K iterations).

Backups + DR

Supabase Postgres has automated daily backups + point-in-time recovery (7-day window on the free tier; we plan to upgrade before customer #1).
All schema is captured in versioned migrations (50 applied as of 2026-05-06). A fresh DR rebuild can replay the schema from migrations/MANIFEST.md.
Agent run telemetry, stripe webhook events, decisions, audit logs all retained 90 days minimum.

Disclosure

If we discover a data breach affecting customer information, we will notify affected customers via email within 72 hours and the Office of the Privacy Commissioner of Canada per PIPEDA requirements.

Reach the security contact

Email [email protected] with "[Security]" in the subject line. Direct route to the operator. We respond same-business-day Mountain Time.