We're a small operation taking security seriously, not a Fortune 500 with a $5M security team. This page tells you exactly what we do, what we use, what we promise, and — importantly — what we don't claim. We'd rather be honest now than caught overstating later. Have a security question we don't answer here? Email beardedai.net@gmail.com.
1. Our security approach
Bearded AI builds tools for service businesses. The data flowing through our systems includes business contact information, schedule details, pricing, financial records, and call/SMS conversations. We treat that data the way we'd want our own treated.
Our approach is built on five principles:
Less data is safer data. Lunara is local-first by design. The less we hold, the less can leak.
Stand on giants' shoulders. AWS, Stripe, Google, Supabase have spent billions on security infrastructure. We use them rather than reinvent.
Defense in depth. No single layer is the whole defense. HTTPS + hashed passwords + scoped tokens + PIN gates + WebAuthn — all together.
Honest about limits. We don't claim certifications we haven't earned.
Customer control. You can export your data anytime. You can delete your account. You're never locked in.
2. Certifications and what we don't claim
We believe in being upfront. Here's the truth about our certification status:
Certification / Standard
Status
Notes
SOC 2 Type II
Not yet
Roadmap target as we scale. Our infrastructure providers (AWS, Stripe) are SOC 2 Type II certified.
ISO 27001
Not yet
Same as SOC 2 — future target. Inheritance from infrastructure providers.
HIPAA
Not compliant
We do not sign Business Associate Agreements. Do not use Bearded AI to store or process Protected Health Information (PHI). If you need HIPAA-grade tools, look elsewhere.
PCI DSS
By design
We never touch raw card numbers. Stripe handles all payment data and is PCI DSS Level 1 certified. Card details flow directly from your browser to Stripe, bypassing us entirely.
GDPR / UK GDPR
Aligned
Privacy Policy includes legal bases, data subject rights, breach notification commitments. Service providers operate under SCCs. Read more
CCPA / CPRA
Aligned
California rights documented and honored. We don't sell or share personal information for cross-context behavioral advertising.
COPPA
Aligned
Services are not directed at children under 13. We don't knowingly collect their data.
FedRAMP
Not certified
Not a federal contractor. Don't use Bearded AI for classified or regulated federal data.
Why we publish this
Most SaaS companies claim every certification under the sun. We've all seen "SOC 2 compliant!" badges that turn out to be aspirational at best, deceptive at worst. We'd rather you know exactly where we stand. As we grow, we'll pursue the certifications that match our customer base — and we'll publish the actual audit reports here when we have them.
3. Encryption
Data in transit
All beardedai.net traffic uses HTTPS with TLS 1.2 or higher, enforced by AWS CloudFront
Modern cipher suites with forward secrecy
HSTS (HTTP Strict Transport Security) prevents downgrade attacks
Voice agent calls flow through encrypted SIP/WebRTC channels via our voice infrastructure providers
SMS traffic uses carrier-grade encryption between API and recipient
Data at rest
Lunara local data: Stored in your browser's localStorage. Encryption at rest depends on your device (Mac FileVault, Windows BitLocker, mobile device encryption — typically on by default on modern devices).
Backend data (when Supabase is enabled): Encrypted at rest using AES-256 by Supabase's underlying Postgres infrastructure on AWS.
Payment data (Stripe): Stripe encrypts card data at rest using AES-256 and tokenizes for storage. We never see raw card numbers.
Static site files (AWS S3): Encrypted at rest with SSE-S3 by default.
Password storage
Current local-first version: passwords hashed with SHA-256 before localStorage write
Supabase migration (in progress): bcrypt with appropriate work factor — industry standard
We never log, transmit, or store plaintext passwords
4. Authentication
We support multiple authentication methods, layered for different threat models:
Token stored in your browser only — never sent to our servers
5. Data architecture
Local-first by design
The single most important security decision in Lunara: your business data stays on your device. Client lists, jobs, invoices, schedule events, and automation rules are written to your browser's localStorage. We literally cannot read them.
This architectural choice has significant security implications:
No central database to breach. Even if our servers were compromised tomorrow, your CRM data wouldn't be there to steal.
You control your data. Clear your browser, the data is gone — including from us.
Privacy law obligations are reduced. Data we don't have, we don't have to protect, disclose, or hand over to subpoenas.
We perform basic vendor due diligence: we don't use providers without published privacy and security policies, and we prefer providers with at least SOC 2 Type II certification for any service handling customer data.
7. Privacy compliance
Detailed privacy practices are in our Privacy Policy. Quick summary of compliance posture:
AlignedGDPR / UK GDPR — legal bases, data subject rights, 72-hour breach notification commitment, Standard Contractual Clauses for international transfers
AlignedCCPA / CPRA — full disclosures, right to know/delete/correct, GPC signal honored, no sale or sharing for advertising
AlignedCOPPA — Services not directed at children under 13
AlignedVCDPA, CPA, CTDPA, UCPA (Virginia, Colorado, Connecticut, Utah) — same data subject rights extended to those states
DisclosureGoogle API Services User Data Policy / Limited Use — explicitly documented in our Privacy Policy section 8
Data subject rights — how to exercise
Email beardedai.net@gmail.com with subject "Privacy Request" to request access, correction, deletion, portability, or opt-out. We acknowledge within 5 business days and substantively respond within 30 (extended to 45 days where law allows). Authorized agents may submit on your behalf with proof of authorization.
8. TCPA, CAN-SPAM & telecom rules
You are the sender. We are the tool.
Voice agents, SMS agents, and any outbound communication tool are powerful, and that power comes with serious legal exposure. TCPA violations carry $500 to $1,500 statutory damages per call or text. Class-action damages routinely reach the millions.
In February 2024, the FCC issued a declaratory ruling that AI-generated voice calls are treated as "artificial or prerecorded voice" calls under the TCPA. That means prior express written consent is required for any marketing call using an AI voice to a wireless number. This is non-negotiable. We build features to help you stay compliant, but compliance is your legal responsibility.
What we build in (technical safeguards)
AI disclosure prompts. Voice agent scripts default to opening with a clear AI disclosure that identifies the system as artificial and names your business. California (BPC § 17941), Utah (SB-149), Colorado, and a growing list of states now require this disclosure by law for commercial transactions. We default to "on" everywhere.
STOP / unsubscribe handling. SMS agents automatically recognize STOP, UNSUBSCRIBE, QUIT, END, CANCEL, REMOVE, OPTOUT and equivalent opt-out keywords, and immediately suppress further contact to that number.
Recording-consent prompts. Voice agents configured to record calls include a recording-consent disclosure in the greeting for all-party-consent states: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont, and Washington. Pennsylvania specifically falls under 18 Pa.C.S. § 5701 et seq. (PA Wiretapping & Electronic Surveillance Control Act).
Time-of-day windows. Outbound campaigns can be scoped to TCPA-safe calling windows (8:00 AM – 9:00 PM recipient local time, with state-specific exceptions handled where stricter).
Caller-ID accuracy. We do not allow spoofed or misleading caller ID configurations on our platform (Truth in Caller ID Act compliance).
Audit trail. Every call and SMS interaction is logged with timestamp, recipient, outcome, and (where applicable) consent disposition.
DNC scrubbing. Roadmap: integration with the National Do Not Call Registry for outbound prospect list screening.
What you must do (your legal responsibility)
Express written consent. Obtain and document TCPA-compliant prior express written consent before any AI-voice or marketing-text contact to a wireless number. Consent must include clear and conspicuous disclosure that you'll use an autodialer or AI voice, must be signed (electronically or otherwise), and cannot be required as a condition of purchase.
Honor opt-outs. Process STOP / opt-out requests within 24 hours. Maintain opt-out records for at least five years.
State telemarketing registration. Many states require telemarketers to register and post a bond before placing outbound marketing calls to their residents. Check requirements in every state you call into — not just where you're based.
National + State DNC lists. Scrub your call lists against the National DNC Registry and applicable state DNC lists before each campaign.
Industry licensing. Hold any state licenses required for your industry (insurance, healthcare, legal, mortgage, debt collection) before contacting prospects in those areas.
Email outreach (CAN-SPAM). Email blasts must include clear sender ID, valid physical postal address, accurate subject lines, and an opt-out mechanism honored within 10 business days.
No PHI. We are not HIPAA-compliant and do not sign Business Associate Agreements. Do not use our service to handle Protected Health Information.
Recommended script openers
To help you stay compliant, here are template AI disclosure + recording consent openers. These are starting points only — adapt them to your business and have an attorney confirm they meet your state's specific requirements.
Outbound (no recording): "Hi, this is an AI assistant calling on behalf of [Your Business Legal Name]. The purpose of my call is [reason]. Do you have a moment?"
Outbound (recorded, all-party-consent state): "Hi, this is an AI assistant calling on behalf of [Your Business Legal Name]. This call may be recorded for quality and training purposes — by remaining on the line, you consent to the recording. May I help you with [reason]?"
Inbound (no recording): "Thank you for calling [Your Business Legal Name]. This is an AI assistant. How can I help you?"
Inbound (recorded): "Thank you for calling [Your Business Legal Name]. This call may be recorded for quality and training. You're speaking with an AI assistant — how can I help?"
9. Access control
Customer accounts: Tenant data is namespaced — each tenant's data is stored under unique keys (crm_{tenantId}_*) and never accessible to other tenants.
Admin tools: Master admin PIN (2949) gates global infrastructure settings (Maps API key, Google OAuth Client ID, pricing). Limited admin PINs (8221, 4252) can manage tenants but cannot edit global config.
Bearded AI staff: Currently a single operator (Jesse). All access is logged. As we scale, we'll publish a formal access policy.
Vendor access: Service providers (AWS, Stripe, Google) have access only to data they're processing on our behalf, governed by their respective DPAs.
10. Monitoring & logging
AWS CloudFront / S3 access logs — IP, user-agent, requested path, timestamp. Retained up to 90 days.
Stripe payment logs — billing events, payment failures, subscription changes. Retained per Stripe policy (typically 7+ years for financial records).
Application activity (Lunara) — actions like "client created," "email sent," "stage changed" are logged to your local activity feed (capped at 500 entries).
Voice agent call logs — duration, outcome, transcript. Retained per your Service Agreement (typically 12 months).
We don't deploy session-replay tools (FullStory, Hotjar, etc.) or third-party analytics that track individual users. We don't sell logs. We don't share logs with third parties except as required by law.
11. Incident response
Our commitment
If we discover a security incident affecting your data, we will notify you
For incidents affecting EU/UK residents: notification to supervisory authority within 72 hours per GDPR
For incidents affecting US residents: notification under applicable state law (typically "without unreasonable delay" or within statutory deadlines)
Notification will describe: nature of the incident, data involved, our response, and what you should do
Our process
Detect — alerted via vendor security feeds, customer reports, or internal monitoring
Include: description of the issue, steps to reproduce, potential impact, your contact info
What we'll do: Acknowledge receipt within 2 business days. Investigate and respond within 14 days with our assessment and remediation plan.
Please do not: publicly disclose before we've had a chance to fix, exploit the vulnerability beyond proof-of-concept, or access data that isn't yours.
Recognition: We don't have a formal bug bounty program yet, but we'll credit reporters publicly (with permission) and may offer service credit or other thanks for material findings.
14. Security roadmap
What we're working toward, in rough priority order:
Supabase backend migration — moves auth and payments off pure localStorage to industry-standard backend (in progress)
2FA / MFA enforcement — option to require WebAuthn or TOTP for tenant accounts
Stripe webhook signature verification — ensures only authentic Stripe events flip plan tiers
Row Level Security (RLS) policies — Supabase-side enforcement that tenants can only see their own data
SOC 2 Type II — first formal audit, target as we scale paying customer count
Bug bounty program — formal vulnerability disclosure program with rewards
Public uptime / status page — real-time service status visible to customers
HSM-backed key management — for any new sensitive operations we add
15. Contact
Questions, security inquiries, vendor due-diligence requests, or audit documentation requests: