How we handle your brand,
your persona, your data.

SOC 2 Type II is on the 2026 roadmap, scoped to start mid-year once private-beta volume justifies the audit. Today we run on Vercel (Frankfurt + Washington edges) and Supabase (eu-west-1 primary), both SOC 2 Type II attested upstream. Internal practices: encryption at rest and in transit, least-privilege admin access, key rotation, no developer access to customer brand data without an explicit approved support ticket. We can share a one-pager covering today's posture on the demo call.

Yes. Our standard DPA covers GDPR and CCPA processor obligations and is available on every paid tier. An MSA with mutual indemnification, custom payment terms, and SLA language is available on the Agency annual and Enterprise tiers. Both documents can be sent during demo follow-up no separate procurement portal step required.

Customer account data, brand assets, and rendered reels are stored in eu-west-1 (Ireland) by default. US-only and APAC residency is available on the Enterprise tier with a workspace-level region pin. We do not ship customer data outside the pinned region except for read-only delivery to social platforms (Instagram, YouTube, etc.) when publishing the reels you ask us to publish.

SAML SSO via Okta, Azure AD, Google Workspace, and JumpCloud is available on Agency annual and Enterprise. SCIM provisioning available on Enterprise. Standard email-link sign-in is the default on Brand and Studio tiers, with 2FA enforced for any seat with publish permissions.

You do. The persona output (face, voice, hook bank, rendered reels) is licensed to your brand exclusively for as long as your account is active. If you cancel, the persona is retired and not reissued to any other brand. The underlying generative models are upstream third-party (e.g., voice cloning, video generation providers); their terms are passed through transparently and listed in your account on request. We never train models on your brand's content.

Every reel we ship can include an in-frame AI-generated label and an in-caption disclosure tag both on by default for the Brand tier and configurable on Studio and above per platform and per persona. We follow current FTC guidance on AI-generated likeness in advertising contexts. For paid promotion or affiliate disclosures, your account-level disclosure copy is appended automatically to the caption.

Yes, with category-specific guardrails. Health and supplements use a claim-checking layer that strips unsubstantiated health claims and substitutes structure-function language where appropriate. Financial services and personal finance use FINRA/SEC-aware copy guardrails. We do not currently work with pharma DTC, regulated medical devices, or licensed financial advice products those have category-specific requirements that exceed what we can underwrite at private-beta scale.

Yes. On Agency annual and Enterprise we run security questionnaires (CAIQ, VSA, custom) and answer follow-ups directly. Typical turnaround is 5-7 business days from questionnaire receipt. A vendor security review call with our team is part of the Enterprise demo flow.

On cancellation, your account moves to a 30-day grace window during which you can re-activate, export all assets and rendered reels, or trigger immediate deletion. After 30 days, the account is hard-deleted: brand assets, persona artifacts, rendered reels, and analytics history are removed from primary storage. Backups roll off on a 90-day cycle. We can provide a deletion-confirmation letter on request.

Our quality gate catches the vast majority of brand-safety issues before publish, but if something does ship that you flag as off-brand or non-compliant: you (or any seat with publish permissions) can hit Unpublish in the dashboard and the reel is taken down across all platforms within 5 minutes via the platform APIs. We then run a root-cause review and update the persona's guardrails so the same shape of issue cannot recur.