Your clients' data, secured end-to-end.
Agencies need proof, not promises. Here's how we protect workspaces, messages, and AI context — with transparency on what's live today and what's in flight.
SOC 2 Type I — in progress.
We're working toward SOC 2 Type I attestation with Type II to follow. If you need a security packet or questionnaire for procurement today, we'll send what we have plus the current control inventory.
Four pillars
How we protect every workspace.
Encryption
Data in transit is protected with TLS. Data at rest uses industry-standard encryption on our cloud providers. Keys are managed per provider best practices; we minimize sensitive data in logs and restrict access to production systems.
Data residency
Primary application and database hosting is in the United States unless otherwise agreed for your workspace. EU/UK residency options may be available for enterprise agreements — ask us when you're ready to standardize on a region.
Access controls
Team members only see workspaces they're invited to. Role-based permissions separate admin actions from day-to-day inbox work. Workspace isolation enforced at the data layer — not just policy.
Compliance
GDPR-ready workflows, CCPA considerations, and DPAs available on request. We support customers who need DPA coverage and subprocessors lists. Specific legal terms live in your contract — this page is a high-level overview.
Responsible disclosure
Found something? Tell us.
Email security@inexra.com with reproduction steps. We read every report and work with reporters on coordinated disclosure when appropriate.
Procurement questions
Answers to what your CISO will ask.
Is my data used for AI training?+
We don't use your client message content to train public foundation models for third parties. Product AI features operate in the context of your workspace — see your agreement and DPA for the exact terms that apply to your plan.
Are client workspaces really isolated?+
Yes — at the data layer, not just in the UI. Every workspace is a separate tenant: messages, AI context, brand voice, team permissions, pipeline, and reports never aggregate across clients unless you explicitly request a rollup view.
Can I export my data?+
Yes — exports and reporting flows are designed so agencies can hand materials to clients or archive work. Availability varies by plan; contact us if you need a bespoke export format.
What happens if I cancel?+
You can export what you need before offboarding. We retain data only as long as required for the product and applicable law, then delete according to our retention schedule. Details are in our Privacy Policy and your order form.
Where do you store Instagram access tokens?+
OAuth tokens are encrypted at rest and scoped per workspace. Tokens never appear in logs or exports. We refresh on Meta's expiration cadence and request only the scopes needed for messaging + insights.
Do you have a SOC 2 report I can share with procurement?+
SOC 2 Type I is in progress. If you need a security packet or vendor questionnaire today, email security@inexra.com and we'll send what we have.
Bigger question? Talk to the team →
Need procurement support?
We'll walk you through every control on the call.
Bring your security questionnaire, your DPA, or just your toughest questions. We'd rather over-share than have you wonder.