BlogResearchToolsSign InDemo

Security at Cuelock

Your agents process sensitive customer conversations across Slack, Gmail, and calls. Here is exactly how we protect that data.

Our Approach

Cuelock agents connect to your communications layer and process every customer conversation in real time. We understand the weight of that access. Security is not a feature we added. It is the foundation everything else is built on.

We follow industry-standard security frameworks and best practices across encryption, access control, data handling, and infrastructure. Our practices are aligned with SOC 2 Type II and GDPR requirements. We are transparent about where we are in the formal certification process and committed to continuous improvement.

Compliance Frameworks

SOC 2 Type II

Aligned

Our infrastructure, access controls, and data handling practices are built to meet SOC 2 Type II requirements. We follow the Trust Services Criteria across security, availability, processing integrity, confidentiality, and privacy. Formal certification is in progress.

GDPR

Compliant

We comply with the General Data Protection Regulation for all EU data subjects. This includes data minimization, purpose limitation, right to erasure, and data portability. We process data only as instructed and maintain appropriate technical and organizational measures.

CCPA

Compliant

We comply with the California Consumer Privacy Act. California residents have the right to know what personal information is collected, request deletion, and opt out of data sales. We do not sell personal information.

A note on certifications

We want to be upfront: Cuelock does not currently hold formal SOC 2 Type II certification. Our security practices are designed to meet and exceed these standards, and we are actively pursuing formal certification. In the meantime, we are happy to walk through our security controls in detail with any prospective customer. If your security team has questions, reach out directly and we will provide whatever documentation you need.

Security Practices

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption for all data at rest
  • Encryption keys managed through dedicated key management service
  • No unencrypted data ever touches disk

Access Controls

  • Role-based access control (RBAC) across all systems
  • Principle of least privilege enforced for all team members
  • Multi-factor authentication required for all internal access
  • Every access event is logged and auditable

Data Handling

  • Minimal data retention: we only store what agents need to function
  • Customer-controlled retention policies
  • No training of models on customer data
  • Data deleted within 30 days of account termination

Infrastructure

  • Hosted on SOC 2 certified cloud infrastructure (AWS)
  • 24/7 infrastructure monitoring with automated alerting
  • Anomaly detection on all agent activity and data access
  • Regular vulnerability scanning and penetration testing

Integrations

  • OAuth 2.0 for all third-party connections (Slack, Gmail, Gong)
  • We never store your credentials, only scoped access tokens
  • Minimal permission scopes requested per integration
  • Tokens revocable at any time from your settings

Data Residency

  • US and EU data residency options
  • Data never leaves your selected region
  • Region selection available at account setup
  • Compliant with data localization requirements

How Your Data Flows

Your Tools

Slack, Gmail, Calls

OAuth Connection

Scoped tokens only

Cuelock Agents

Process in memory

Your Systems

CRM, CSP, Slack

All connections encrypted with TLS 1.3. No credentials stored. Data processed in memory and written to encrypted storage only when required by agent function.

Frequently Asked Questions

Do you train AI models on my customer data?

No. Your data is never used to train models. Cuelock agents process your conversations to execute tasks and surface insights, but the underlying models are not fine-tuned or trained on your data.

Can I delete my data?

Yes. You can request full data deletion at any time. All data is removed within 30 days of account termination, and we provide written confirmation of deletion upon request.

Where is my data stored?

Your data is stored in your selected region (US or EU) on SOC 2 certified AWS infrastructure. Data never leaves your selected region.

What happens if there is a security incident?

We have an incident response plan that includes immediate containment, investigation, customer notification within 72 hours (as required by GDPR), and a post-incident review with remediation steps shared with affected customers.

Can your team access my customer conversations?

Access to customer data is strictly limited to essential operations personnel, requires multi-factor authentication, follows the principle of least privilege, and is fully logged and auditable. We do not read your conversations unless specifically authorized for troubleshooting.

Questions about security?

We are happy to walk through our security controls, share documentation, or connect you with our team directly.

Talk to Us