Security & data handling
What we do, concretely, with manufacturer and installer data.
This page is written for procurement, security, and DPOs. It is the actual posture, not a marketing restatement of one. Material questions go to orr@fieldspan.ai.
Data residency
- Postgres primary on Neon — EU branch available per tenant on request (Frankfurt).
- Compute on Vercel edge, region-pinned to the tenant's jurisdiction.
- Gemini API with the Google Cloud Data Processing Addendum on file; EU-selectable regions.
- Message bodies logged for eval in the tenant's data-region; phone numbers never logged in plaintext.
PII handling
-
Phone numbers are hashed at rest with a per-tenant salt —
sha256(tenantId || E.164). - Telegram user IDs are hashed with the same scheme.
- Raw E.164 phone numbers exist only in transient webhook payloads and are discarded after routing.
- Logs contain the phone hash and
request_idonly. - Installer names, if captured at all, live in tenant-scoped tables with row-level tenant isolation.
Auth & boundaries
- All inbound webhooks verify HMAC signatures (Twilio, Telegram, Upstash QStash). Unverified webhooks are dropped.
/ops/*gated by basic auth with bcrypt-hashed credentials. Per-tenant scope enforced at the middleware layer.- Outbound API calls use bearer tokens from server-side secrets. No user-derived URLs are fetched server-side.
- No third-party JS on manufacturer/installer-facing surfaces (no tag managers, no ad pixels).
Retention
- At pilot, retention is indefinite so the corpus improves.
- Before production rollout, retention is configurable per tenant — message bodies, structured signals, and derived artifacts are independent retention classes.
- DSR (access / erasure) routed to orr@fieldspan.ai. Response within 30 days.
Subprocessors
| Subprocessor | Role | Region |
|---|---|---|
| Twilio | WhatsApp, SMS, and voice messaging | US / EU |
| Telegram | Secondary messaging channel | Global |
| Google (Gemini API) | LLM inference; DPA on file | EU-selectable |
| Vercel | Edge compute + static hosting | Region-pinned |
| Neon | Postgres primary datastore | EU branch available |
| Upstash (QStash) | Async job queue + scheduler | EU |
| Resend | Transactional email | US |
Logging & eval
- Message bodies are logged for offline eval — quality regressions, hallucination rate, citation accuracy.
- Phone numbers are never logged in plaintext; only
phone_hash+request_idappear in logs. - Eval datasets are tenant-scoped. Cross-tenant mixing requires written consent.
Incident response
- Security contact: orr@fieldspan.ai.
- At pilot scale, founder-led triage within 2 business hours. Tenant notified within 24 hours if confirmed.
- Post-incident writeups are shared with affected tenants.
Security posture: v1 · sourced from docs/architecture/system.md §6 & §9. Material updates are dated and diff-visible by intent.