Trust center
Security at Sales Lab.
Sales conversations are some of the most sensitive data in your organization. Every layer of Sales Lab is designed to be auditable, minimally trusted, and explicit about what we do — and do not — do with your team’s data.
Where your data lives
Application & database. Managed Postgres in a US region (AWS Virginia). Encrypted at rest with AES-256.
Voice infrastructure. Our voice vendor runs speech-to-speech inference in a US region. Audio streams are never persisted on our side; the vendor retains transcript snapshots only as required to deliver its API.
Scoring model. A frontier LLM, US region. Inputs are processed for inference only and are not used to train the model.
Email. A US-region transactional-email provider for magic-link sign-in and scorecard summaries. Recipients are limited to your own users.
In transit. TLS 1.3 between every hop. HSTS preloaded.
Who can access it
Your company admins. Can read every scenario, scorecard, and transcript belonging to your tenant. Reps can read only their own.
Sales Lab engineers. Production database access is limited to a named on-call rotation, requires hardware-backed MFA, and is broken-glass only — every session is time-bound, justified in writing, and logged with actor, reason, timestamp, and source IP.
No third-party access. We do not sell, share, or rent your data to anyone. The subprocessors we use are operationally required and contractually limited.
Audit logging
Every admin action — scenario create / edit / archive, KB edit, role change, share-token generation, and scorecard read — is logged with actor user-id, IP address, user-agent, and a timestamp. Logs are immutable for 365 days.
Compliance roadmap
Subprocessors
We use a small set of US-based subprocessors to run the product. The current list — each vendor with its purpose, the data it handles, and its region — is provided to customers on request and in our DPA. Email security@saleslab.cloud.
Reporting a vulnerability
Email security@saleslab.cloud. We acknowledge within one business day, never threaten or pursue good-faith researchers, and credit reporters who request it on this page after the fix ships.
Data export & deletion
Export. Admins can request a JSON export of every scenario, KB doc, session, transcript, and scorecard at any time.
Deletion. A signed delete request from a verified admin removes all tenant data — including audio blobs and third-party derived state — within 30 days.
Last updated · 2026-04-22