Your customer data is sacred.
We built for that.
Coherence handles customer intelligence, revenue data, and product strategy. Our security is built for the sensitivity of what you trust us with.
Tenant Isolation
Workspace data is scoped through workspace-bound queries, protected routes, and Row-Level Security on tenant tables. We fail closed when secure production configuration is missing.
Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database connections use SSL. API keys and secrets are stored in environment variables, never in code.
Authentication
Powered by Clerk with session management, MFA support, and organization-level access controls. Every API endpoint requires authentication. Webhook endpoints verify cryptographic signatures.
Audit Logging
Administrative and credential-bearing actions such as exports, deletes, token changes, and role changes are audit logged with actor and timestamp metadata.
Data Deletion
Request complete deletion of your workspace data at any time. We delete everything: signals, themes, scores, specs, customer records, and integration configs. No residual data.
Data Portability
Export your complete workspace data as JSON at any time. Your data is yours. No lock-in, no export fees, no waiting period.
Infrastructure
Hosted on Vercel (SOC 2 Type II) with Supabase (SOC 2 Type II) for database. Both providers maintain comprehensive compliance programs. Data resides in AWS US regions.
AI Data Handling
Customer data sent to AI models is handled through API integrations, not public chat products. Prompts are structured to separate workspace data from instructions, and production routes fail closed when required AI configuration is missing.
What we store and why
| Data Type | What We Store | Why |
|---|---|---|
| Customer records | Company name, ARR, segment, health score, renewal date | Revenue-weight scoring. This is the BCL differentiator. |
| Signals | Support tickets, call transcripts, NPS responses (text content) | Source material for theme extraction and evidence trails. |
| Embeddings | 1536-dimension vectors derived from signal text | Semantic clustering into themes. Cannot be reversed to original text. |
| Integration tokens | Encrypted OAuth tokens and provider tenant identifiers | Connect Stripe, Intercom, Gong, and HubSpot to the correct workspace and route webhooks safely. |
Common questions
Is Coherence SOC 2 certified?
We are working toward SOC 2 Type I certification. Our infrastructure providers (Vercel, Supabase) are SOC 2 Type II certified. Contact us for our current security documentation.
Where is my data stored?
Your data is stored in Supabase (PostgreSQL on AWS) in US regions. If you require EU data residency, contact us to discuss options.
Is my data used to train AI models?
No. We use API access to Anthropic Claude and OpenAI models and do not permit customer workspace data to be used to train our product. Contact us for provider-specific retention details.
Can I delete all my data?
Yes. You can request complete workspace deletion at any time through the app or by contacting support. We delete all data within 30 days, including backups.
Do you have a DPA?
Yes. Contact security@getcoherence.ai for our Data Processing Agreement.
Questions about security?
We are happy to walk your security team through our architecture, share documentation, or discuss specific compliance requirements.
security@getcoherence.ai