Despora Logo
Despora
Sign InGet Started Free

Security & Data Privacy

How Despora protects your business data — from encryption and access control to AI privacy and infrastructure security.

TL;DR:Your data is protected at every layer. Despora enforces strict project-level isolation, encrypts all data in transit and at rest, uses Google's official OAuth for third-party connections (we never see your passwords), and applies role-based access control on every API endpoint. Your call transcripts and lead data are never sold, shared across accounts, or used to train AI models.

Overview

Security isn't an afterthought at Despora — it's built into the architecture. Because we handle sensitive business data including call recordings, lead transcripts, revenue figures, and marketing spend, we treat every piece of data as confidential by default.

This page documents the specific technical measures we implement to protect your data. If you have additional questions, contact our team.

Project-Level Data Isolation

Every piece of data in Despora — leads, analytics, call recordings, agent scores, and reports — is scoped to your project. There is no shared data space between accounts.

  • Strict project boundaries— Every API request resolves your identity and project authorization before any data is loaded. If the request doesn't match your project scope, it is rejected at the gate — not after loading data.
  • No cross-account leakage — Your leads, transcripts, dashboards, and configurations are invisible to other users. Even within multi-client agency accounts, each project maintains its own isolated data boundary.
  • Agency-level separation— Agencies that manage multiple client projects see only their own clients' data. Each project under an agency operates as an independent, isolated environment.

Encryption & Data In Transit

  • HTTPS everywhere — All traffic to and from Despora is encrypted with TLS. We enforce HSTS (HTTP Strict Transport Security) with a 2-year max-age, includeSubDomains, and preload — meaning your browser will never fall back to an unencrypted connection.
  • Password hashing — Passwords are salted and hashed with bcrypt. We never store plaintext credentials. Even if our database were compromised, passwords cannot be reversed.
  • Secure session cookies — Session tokens are stored in HTTP-only, Secure cookies that cannot be read by JavaScript, preventing cross-site scripting (XSS) attacks from stealing your session.

Authentication & Sessions

  • Email verification — Every new account requires email verification before gaining access to the platform. Unverified accounts cannot sign in.
  • JWT-based sessions — Sessions are managed via signed JSON Web Tokens (JWTs) that are verified on every request. Tokens are cryptographically signed and cannot be forged.
  • Time-limited reset tokens — Password reset flows use single-use, time-limited tokens delivered to your verified email address.
  • Internal API protection — Server-to-server API routes (cron jobs, background syncs) require secret-key authentication that is never exposed to the browser.

OAuth — We Never See Your Password

When you connect Google Analytics, Search Console, Google Business Profile, or Google Ads, Despora uses Google's official OAuth 2.0 flow. You authorize directly with Google — we never see or store your Google credentials.

  • Minimal scopes — We request only the read-only permissions needed to pull your analytics data (e.g., analytics.readonly, webmasters.readonly).
  • Token storage — We store only the access and refresh tokens required to maintain the connection. These tokens grant read access to your analytics — they cannot modify your Google accounts.
  • Revocable access— You can disconnect any integration at any time from your Despora settings, or revoke access directly from your Google account's security settings.

Role-Based Access Control

Despora enforces strict role-based permissions across the platform. Every API endpoint verifies the user's role and project authorization before returning any data.

RoleAccess Level
ClientCan view and manage only their own project's data
AgencyCan manage projects under their own agency — no access to other agencies
AdminPlatform management with full audit capabilities

Unauthorized requests are rejected immediately. There is no scenario where a user can access another user's leads, transcripts, or analytics through the API.

Security Headers & Browser Protection

Every response from Despora includes a full suite of hardened HTTP security headers:

  • Content Security Policy (CSP) — Restricts exactly which scripts, styles, and connections the browser can load, blocking code injection and cross-site scripting attacks.
  • X-Frame-Options: SAMEORIGIN — Prevents clickjacking by blocking the app from being embedded in third-party iframes.
  • X-Content-Type-Options: nosniff — Prevents browsers from MIME-type sniffing, which stops content injection attacks.
  • Strict Referrer Policy — Limits what URL information is shared when navigating away from Despora.
  • Permissions Policy — Explicitly disables browser access to camera, microphone, and geolocation — features Despora does not need.

AI Analysis Privacy

When Despora's AI scores and analyzes your leads, the analysis is performed per-touchpoint within your project scope. Your data stays yours:

  • No cross-account exposure — Your call transcripts and lead data are never shared with other clients or visible to other accounts.
  • No model training — Your data is never used to train, fine-tune, or improve AI models. Analysis is performed on-demand and results are stored exclusively in your project.
  • Minimal data transmission — Only the transcript and your service catalogue are sent to the AI for analysis. No other account data is included in the request.

Data Sharing Policy

We do not sell, rent, or share your business data with any third party.

Your call recordings, lead transcripts, analytics, and marketing data stay exclusively within your Despora dashboard. The only third-party services that interact with your data are:

  • Infrastructure providers — Hosting (Vercel), database (Supabase/PostgreSQL), and email delivery (AWS SES) — all under strict data processing agreements.
  • AI analysis — Google Gemini processes individual transcripts for lead scoring. No data is retained by the AI provider after processing.
  • Transcription — Deepgram processes call audio for speech-to-text conversion when CallRail transcripts are unavailable. Audio is not stored after transcription.

Infrastructure Security

Despora runs on Vercel's edge infrastructure, which provides:

  • SOC 2 Type II compliant hosting
  • Automatic DDoS protection at the edge
  • TLS 1.3 encryption for all connections
  • Isolated serverless functions — no shared server processes between requests
  • Automatic scaling — no single point of failure

Database infrastructure is hosted on Supabase with connection pooling, encrypted connections, and row-level access policies.

Data Retention & Deletion

  • Active accounts — Your data is retained for as long as your account is active.
  • Account deletion — You can request full data deletion at any time by contacting us. All leads, transcripts, analytics, and account information will be permanently removed.
  • Automatic cleanup — Pending leads that are not reviewed within 40 days are automatically expired. Stale synchronization jobs are aborted after 60 minutes.
  • No cookies for tracking — We use session cookies only (HTTP-only JWTs) to keep you logged in. We do not use advertising or tracking cookies.

For the full legal text, see our Privacy Policy and Terms of Service.