Trust Center
Welcome to heyBTW's Trust Center.
heyBTW provides B2B event attribution and co-marketing measurement for enterprise GTM teams. We're built on a privacy-first architecture: customer CRM data stays in customer custody, our integrations follow least-privilege by default, and our infrastructure is hosted on SOC 2 Type II compliant cloud services.
Use this Trust Center to review our security posture, request our security documentation, and start a security review. For anything not answered here, reach us at security@heybtw.com.
Product Security
Product Security
heyBTW's product surface is hardened by design. CRM integrations follow least-privilege defaults. Our Salesforce integration is read-only via a managed package distributed through AppExchange and never writes to customer Salesforce orgs. Our MCP integration lets customer AI agents query heyBTW data without heyBTW ingesting customer CRM records. All authentication, authorization, integration, and data-modification events are written to application-level audit logs. Workspace-scoped API keys are tiered by privilege; write access is gated to Enterprise tier with explicit entitlements.
Data Security
Data Security
Customer data is encrypted in transit (TLS 1.2+) and at rest (AES-256) across our cloud providers. Customer Data, Operational Data, and System Data are logically separated. Each category has documented retention and access controls. Customer data is logically segregated by workspace tenant. Backups are retained up to 90 days and purged on customer-initiated deletion. Operational logs retained 12 months.
App Security
App Security
Application security spans static analysis, runtime monitoring, and responsible disclosure. All pull requests run dependency vulnerability scanning (Dependabot), secret scanning, and code review by the CTO before merge. GCP Security Command Center provides continuous infrastructure-layer detection. Sentry provides runtime error and anomaly monitoring. Vulnerability disclosure: security@heybtw.com. We respond within 5 business days and work in good faith with researchers.
Incident Response
Incident Response
heyBTW maintains an internal incident response runbook covering detection, containment, eradication, recovery, and post-incident review. The CTO is on-call incident commander; the CEO handles customer and regulatory communications. Notification commitment: within 72 hours of a confirmed incident affecting customer data, regardless of whether GDPR Article 33 strictly applies. Communication via the customer's designated security contact.
AI
AI
heyBTW uses AI/ML for event attribution, attendee enrichment, partnership recommendations, and predictive analytics. What we don't do: we do not use customer data to train models that benefit other customers, do not share insights derived from customer data with competitors, do not sell or license models trained on customer data. Our MCP integration lets customers use their own AI agents against heyBTW data without heyBTW ingesting customer CRM records. AI infrastructure maintains logical separation between customer tenants. Full AI policy: Privacy Policy Section 3.6 at heybtw.com/privacy.
Risk Management
Risk Management
heyBTW conducts risk assessments at major architectural decisions and product changes that affect data flow or access. Vendor risk is managed through subprocessor SOC 2 / ISO 27001 attestation review before contracting and at material changes; documented in our subprocessor register, available to enterprise customers via legal@heybtw.com.
Asset Management
Asset Management
Production cloud assets are tracked via cloud-native inventory tooling across our GCP and Azure environments. Workforce devices are inventoried via Google Workspace. Customer data assets are classified by category (Customer Data, Operational Data, System Data) with documented retention and access controls per category.
BC/DR
BC/DR
heyBTW's compute layer is designed for rapid redeployment across cloud zones. Customer data persisted in managed databases is backed up via automated daily snapshots with point-in-time recovery. Object storage uses versioning with high-durability cloud storage. Recovery objectives: RPO ≤ 24 hours, RTO ≤ 8 hours for full service restoration. Backup data retained up to 90 days, purged on customer-initiated deletion.
Data Privacy
Data Privacy
heyBTW is built on a privacy-first architecture. We act as a Data Processor under GDPR Article 28 and a Service Provider under CCPA. We do not sell customer data, do not share data for cross-context advertising, and do not use customer data to train AI/ML models that benefit other customers. Customer data is deleted within 90 days of contract termination. Data subject rights (access, rectification, deletion, portability, objection) are honored within 30 days. International transfers rely on EU Standard Contractual Clauses. Full details: heybtw.com/privacy. Enterprise DPA available via legal@heybtw.com.
Access Control
Access Control
Customer authentication is handled by Auth0 with MFA support and SAML/OIDC SSO available on Enterprise plans. Sessions are bound to the workspace tenant. API keys are workspace-scoped, revocable from the admin UI, never logged in plaintext. Internal personnel access uses Google Workspace SSO with mandatory MFA. Production access requires a separately authenticated MFA session. Privileged access is limited to the CTO and CEO. Onboarding and offboarding revoke all access within 24 hours.
Infrastructure
Infrastructure
Production runs on a hybrid of Google Cloud Platform and Microsoft Azure. Both providers hold current SOC 2 Type II and ISO 27001 attestations (Azure additionally holds ISO 27017, ISO 27018, and FedRAMP; GCP additionally holds ISO 27017 and ISO 27018). Customer data is primarily stored and processed in the United States. Network egress is restricted. Application services are designed for rapid redeployment across zones and providers for resilience.
Endpoint Security
Endpoint Security
Workforce devices are company-managed Macs with FileVault full-disk encryption, automatic OS and security updates, and screen-lock enforcement. Local admin accounts are restricted to the device owner and are not used for production access. Production access from any endpoint requires a separate authenticated session (Google Workspace SSO + MFA). No production credentials are stored in plaintext on endpoints. Centralized MDM is on the roadmap as the workforce grows.
Network Security
Network Security
Production network egress is restricted by cloud-managed firewall rules across our GCP and Azure environments. All inbound traffic terminates at managed cloud services with TLS enforced. We do not operate a corporate office network; the team is fully remote and accesses production exclusively through authenticated, MFA-protected sessions to managed cloud services.