How we handle your production data
Converra is designed for production environments. Security and data handling are foundational to our architecture, not afterthoughts. This page documents our security posture, data practices, and compliance status.
Core Security Principles
Data Minimization
We only process what's needed for optimization. Converra generates scenario abstractions from interaction patterns, not verbatim transcripts.
- You control what data you send
- Optional redaction before ingestion
- No cross-customer training — ever
Offline-First Architecture
By default, prompt testing happens in offline simulations, not on live users. Changes are validated against scenario abstractions derived from production patterns before anything ships.
Encryption Everywhere
All data is encrypted both in transit and at rest.
- In transit: TLS 1.2+ for all API communication and data transfer
- At rest: AES-256 encryption via infrastructure providers (MongoDB Atlas, AWS S3)
- Key management: Managed by infrastructure providers with automatic key rotation
Access Controls
Multi-layered access control protects customer data at every level.
- RBAC: Role-based access control with tenant-scoped permissions
- Authentication: Secure session management with HTTP-only cookies, Google OAuth/SSO
- SSO/SAML: Available on Enterprise plan
- API keys: Scoped, rotatable, revocable
Data Isolation
Every customer's data is logically isolated. No cross-tenant data access is possible through the application.
- Per-customer tenant identifiers enforced at the application layer
- Authorization checks on every query and mutation
- Enterprise customers can request single-tenant or VPC deployment
Production-Grade Infrastructure
Hosted on vendors that maintain their own SOC 2 Type II certifications. Available upon request under NDA.
- Hosting: Render (SOC 2 Type II)
- Database: MongoDB Atlas (SOC 2 Type II, ISO 27001)
- Data region: US (primary). EU available on Enterprise.
Data Retention
Retention is configurable. Data is deleted on request or within 30 days of account termination. Backup copies are purged within 90 days.
Full Audit Trail
Every optimization decision is logged: what changed, why it was proposed, who approved it, and when it shipped. Complete traceability for compliance and debugging.
What we don't do
No training on your data. We don't use Customer Data to train, fine-tune, or improve any AI model — ours or anyone else's. This is a contractual commitment, not just a marketing promise.
No selling or sharing. Customer Data is never sold, rented, or shared with third parties beyond subprocessors required to deliver the Service.
No live experiments. We don't run experiments on live users. Simulations happen offline.
No broad access required. We don't require access to your entire production system — only the data you choose to send.
No irreversible changes. Every deployment includes instant rollback capability. You review and approve before anything ships.
Compliance Status
SOC 2 Type II
In progress. Security trust service criteria (CC1–CC9). Infrastructure subprocessors (MongoDB Atlas, Render) maintain their own SOC 2 Type II reports, available under NDA.
GDPR
Supported. Data subject rights (access, rectification, erasure, portability, restriction, objection) handled per our DPA. EU Standard Contractual Clauses (Modules 2 and 3) available for international transfers.
CCPA/CPRA
Supported. Converra acts as a "Service Provider" under CCPA. No sale or sharing of personal information. See DPA Section 13.
Incident Response
Breach Notification
Converra will notify affected customers within 72 hours of confirming a data breach, including the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to mitigate.
Responsible Disclosure
Security researchers can report vulnerabilities to security@converra.ai. See our security.txt for details. We triage promptly and prioritize remediation based on severity.
Security Contact
For all security-related inquiries, vulnerability reports, or incident concerns: security@converra.ai
Subprocessors
The following third parties process Customer Data on our behalf. Converra provides at least 30 days' notice before adding new subprocessors. Full details in our Data Processing Agreement.
| Subprocessor | Purpose | Location |
|---|---|---|
| MongoDB Atlas | Primary database | US |
| Render | Application hosting | US |
| OpenAI | AI model inference (simulation, evaluation, optimization) | US |
| Anthropic | AI model inference (simulation, evaluation, optimization) | US |
| Google AI | AI model inference (simulation, evaluation, optimization) | US |
| Stripe | Payment processing | US |
| Resend | Transactional email | US |
| Pinecone | Vector database | US |
| Upstash | Managed Redis (caching, rate limiting) | US |
| AWS S3 | File storage | US |
| PostHog | Product analytics | US/EU |
| Google OAuth | Authentication | US |
Security FAQ
Do you store raw transcripts?
We store conversation data you send for optimization. You control what's included, and sensitive fields can be redacted before ingestion.
Do you train on our data?
No. This is a contractual commitment in our Terms of Service (Section 5.6) and DPA (Section 4). Your data is used only for your optimization. We don't train shared models or use your data to improve other customers' prompts.
Who owns optimized prompts?
You do. All prompt variants, optimizations, and recommendations generated using your data are your property. This is codified in our Terms of Service (Section 11.4).
Where is data stored?
Currently US regions. Enterprise customers can request specific region deployments including EU data residency.
Do you have a DPA?
Yes. Our DPA covers GDPR Article 28 requirements, EU Standard Contractual Clauses, CCPA "Service Provider" designation, sub-processor management, 72-hour breach notification, and audit rights.
Can we self-host, use VPC, or set custom retention?
Yes. Enterprise deployments support VPC, custom retention policies, and dedicated infrastructure. Contact us to discuss requirements.
Legal Documentation
Terms of Service
Service agreement, acceptable use, IP ownership, liability
Privacy Policy
Data collection, use, sharing, retention, your rights
Data Processing Agreement
GDPR Article 28, SCCs, sub-processors, breach notification, CCPA
Security Questionnaire
Pre-filled SIG Lite-style security questionnaire
Who's behind Converra
Oren Cohen
2nd-time founder. Built Buildup (acquired by Stanley Black & Decker). Former VP Product Growth at Totango, where he shipped AI to production at scale.
Enterprise requirements?
For teams with specific security, compliance, or deployment requirements — including VPC deployment, custom retention policies, NDA-protected SOC 2 reports, or custom security assessments — reach out and we'll work with you directly.
Contact security@converra.aiSecurity built in from day one
Start improving your agents with confidence. Your data stays yours.
Start for free