Trust & Compliance
Shared responsibility, data location, subprocessors, and what we do and do not do. For security and legal review.
Shared responsibility
SOC 2 Type II — In Progress. LetsPing is actively building toward SOC 2 Type II certification, targeting completion in Q4 2026. Enterprise customers can request our current security package (architecture diagram, pen-test summary, and controls evidence) via security@letsping.co.
LetsPing operates the control plane: we receive requests, run guardrails, persist state, and deliver webhooks. We do not execute your business logic or access your downstream systems. The table below is the single source of truth for who is responsible for what.
| Responsibility | LetsPing | Customer |
|---|---|---|
| Tenant isolation & data scoping | All data scoped by project/org; no cross-tenant access. | — |
| API key & webhook secret custody | Keys hashed at rest; we never store plaintext. Replay-safe webhook verification. | You protect keys and secrets; rotate if leaked. |
| Guardrail execution & firewall | We run velocity, injection, PII, cost, loop, and behavioral guardrails at ingest. | You choose which tools to wrap and which guardrails to enable; you approve or reject paused requests. |
| Encryption (at rest & in transit) | TLS in transit; Supabase encryption at rest. Optional client-side E2E so we never see plaintext. | You may set LETSPING_ENCRYPTION_KEY for E2E; you protect that key. |
| Audit trail & logging | We write audit logs (configurable retention); we redact PII in firewall block events. | You export and retain logs per your policy; you do not log raw payloads or secrets. |
| Availability of ingest & webhooks | We target 99.9% for ingest and webhook delivery; see Terms for SLO. | You design retries and idempotency; you keep your webhook endpoint available and verified. |
| Business logic & execution consequences | — | You own agent logic, payload content, and what happens when you approve (e.g. Stripe charge, DB write). |
| Compliance of your use case | — | You ensure your use of LetsPing meets your industry and regulatory requirements. |
Data location & subprocessors
Data is processed and stored in the United States via our infrastructure and subprocessors. We do not sell or share your data with third parties for advertising or marketing.
For a full list of subprocessors (vendor, purpose, persistence), see the Privacy Protocol. We use Upstash (Redis and QStash for async workers), Supabase (PostgreSQL and auth), Vercel (application hosting), and Stripe (billing). Each processes data only as necessary to provide the service.
For a signed Data Processing Agreement (DPA), see DPA or contact legal@letsping.co for enterprise.
What we don't do
- We do not execute your business logic (e.g. we don't call Stripe or your database on your behalf).
- We do not train or fine-tune any AI models on your data. We do not use your payloads for generative AI.
- We do not have access to your downstream systems (payment processors, databases, internal APIs) unless you explicitly send that data in a payload; we treat payloads as confidential and do not share them.
- We do not guarantee prevention of all abuse—you must wrap the right tools, set guardrails, and approve or reject requests. We provide the controls; you operate them.
- We do not provide legal, tax, or compliance advice. You are responsible for ensuring your use complies with applicable law.
For security disclosures: security@letsping.co. For legal or DPA: legal@letsping.co.