Security

Whitmore AI, Inc (“Company,” “we,” “us”) is the AI receptionist and operator behind heywhitmore.ai. This page summarizes the technical and organizational measures we use to protect customer data. For the full data-handling policy, see our Privacy Policy.

1. Data Protection Practices

We implement security measures designed to protect customer information from unauthorized access, including:

• Encryption in transit (TLS). All connections to the Site and Service are served over HTTPS with modern TLS. Internal service-to-service traffic is encrypted.
• Encryption at rest.Sensitive fields — including third-party access tokens, authentication credentials, message content, and call recordings — are encrypted at rest in the production database.
• Row-level security on multi-tenant data.Customer data is isolated at the database level using row-level security policies so one organization cannot read or write another organization's records.
• Scoped third-party access tokens. When you connect a third-party service (Google Calendar, Meta / Facebook / Instagram, Composio integrations, Canva, Notion, etc.) we request only the scopes required to operate that integration. We do not access more data than the scopes you grant.
• Authentication and access control. Accounts are protected by passwords or third-party identity providers. Production access for Company personnel uses single sign-on with multi-factor authentication.
• Regular dependency patching. We monitor upstream dependencies for known vulnerabilities and apply security patches on an ongoing basis.
• Audit logging. Privileged actions on production systems are logged and retained for review.

No method of transmission over the internet or method of electronic storage is 100% secure; these measures reduce but do not eliminate risk. By using the Service you acknowledge and agree to assume the residual risk.

2. Account Security

Your account is protected by your account password (or third-party identity provider). To keep your data safe we recommend:

• Using a strong, unique password and a password manager
• Enabling multi-factor authentication on your identity provider where available
• Logging out of shared or untrusted devices
• Notifying us at security@heywhitmore.ai of any suspected unauthorized access

3. Subprocessors

We use the following service providers to operate the Service. Each is bound by contract (BAA / DPA where applicable) to handle customer data only at our direction and in accordance with their own privacy and security commitments. The list below reflects current production subprocessors:

• Vercel— hosting and serving of the Site and Service (web layer, edge network)
• Supabase— primary application database, authentication, and storage
• Cloudflare— edge protection, DNS, and DDoS mitigation
• Twilio— SMS and voice carrier; receives phone numbers and message/call content for the messages we send and receive on your authorization
• Anthropic— AI / large-language-model inference; receives prompts and supporting context (your tasks, contacts, conversations relevant to the request) so the AI can generate the response you asked for. Per Anthropic's policy, this data is processed only to generate the response and is not used to train their models without explicit additional consent.
• ElevenLabs— voice synthesis for voice-agent responses

We may add or change subprocessors as the Service evolves. Material changes are reflected here and in our Privacy Policy.

4. AI Data Handling

When the AI handles a communication on your behalf — for example, drafting a reply or running the AI receptionist — we send prompts and supporting context to our AI providers for inference. That data is processed only to generate the response and, under provider policy, is not used to train provider models without explicit additional consent. You can opt out of having your messages, transcripts, or AI-processing artifacts used in aggregated form for product improvement by emailing privacy@heywhitmore.ai with subject “Opt out of AI improvement use.” See Privacy Policy § II.A for details.

5. Incident Response

If we discover a security incident affecting customer Personal Information, we will:

• Investigate, contain, and remediate the incident
• Notify affected customers in accordance with applicable law (including state and federal breach-notification statutes)
• Provide affected customers with a description of what happened, what data was involved, and steps we are taking and steps the customer can take in response

6. Vulnerability Reports

If you believe you have found a security vulnerability in the Site or Service, please report it to security@heywhitmore.ai. Please give us a reasonable time to investigate and remediate before public disclosure. We do not currently operate a paid bug-bounty program but we appreciate good-faith reports.

7. Contact

• Security inquiries / vulnerability reports: security@heywhitmore.ai
• Privacy / data-rights requests: privacy@heywhitmore.ai
• Mail:Whitmore AI, Inc — 1789 Birdhaven Ln, Wendell, North Carolina 27591