1stContact.ai Trust Center

1stContact.ai is an AI‑powered, all‑in‑one sales, marketing, and CRM platform designed for startups and SMBs. We enable robust automation, omnichannel communication, and scalable client management.

Built by operators for operators, our goal is to help teams reach and surpass their benchmarks for success through a consumer‑friendly, continuously updated SaaS experience. We measure our success by customer outcomes and invest heavily in usability, reliability, and security.

1stContact.ai’s primary security focus is safeguarding customer data. Our platform includes dedicated corporate, product, and infrastructure security programs overseen by our Legal and Security teams in partnership with other departments.

• Customer Trust & Protection: Deliver superior products and support while protecting privacy and confidentiality.
• Availability & Continuity: Ensure service uptime and minimize risks to service continuity.
• Integrity: Keep customer information accurate and unaltered.
• Standards Alignment: Align with industry best practices and enable our customers’ compliance requirements.

1stContact.ai employs layered administrative, technical, and physical security controls across the organization. Below is a summary of commonly requested controls relevant to our customers.

Cloud Hosting Provider

1stContact.ai does not host product systems or data in physical offices. Hosting is outsourced to leading cloud providers such as Google Cloud Platform (GCP) and Amazon Web Services (AWS). Product infrastructure resides in the United States, and we rely on our providers’ audited security and compliance programs for physical, environmental, and infrastructure security.

• GCP Availability: GCP services target high monthly uptime percentages (e.g., ≥99.5% depending on service).
• AWS Reliability: AWS service SLAs generally target 99.95% or higher, with business continuity and disaster recovery controls independently validated in AWS SOC 2 and ISO 27001 reports.

Network and Perimeter

We enforce multiple layers of filtering and inspection across web application firewalls, logical firewalls, and security groups. Network ACLs prevent unauthorized access to internal resources. Firewalls deny connections by default; rule changes follow change‑control processes and periodic reviews.

Configuration Management

Our product infrastructure is highly automated. Server configurations are defined via images/configuration files used to provision containers, each with hardened baselines. Drift from baseline is detected and remediated, with non‑compliant instances replaced or re‑provisioned. Patch management leverages automated tooling.

Logging

Application and security‑relevant events are centrally logged, indexed, and retained to support investigation and response. Write access to log storage is tightly controlled and limited to authorized engineers.

Alerting and Monitoring

Automated monitoring and alerting are in place. Error rates, abuse scenarios, and application attacks trigger automated responses and/or alerts to engineering and security teams. Protections such as traffic throttling and process termination can be triggered at defined thresholds.

Web Application Defenses

Customer content hosted on our platform is protected by firewall and application‑layer security. Monitoring tools observe behavior and session rates to detect malicious activity. Detection and blocking rules align with OWASP best practices (e.g., OWASP Top 10). DDoS protections help ensure availability of customer websites and platform components.

Development and Release Management

1stContact.ai uses a modern continuous delivery model. Code changes undergo review, testing, and approval prior to deployment. Static analysis and configuration checks help prevent known misconfigurations. Builds run through CI for packaging and unit tests; dynamic security testing is conducted periodically. Deployments are automated with rollback procedures and staged through QA environments segmented from production. Feature gating and traffic management support progressive rollout (private/public beta, general availability). SaaS updates are seamless with no planned downtime; major changes are communicated in‑app and via product updates.

Vulnerability Management

A multi‑layered vulnerability management program uses industry‑recognized tools and threat intelligence. Regular scanning, adaptive asset discovery, and updated signatures support coverage. Annual penetration tests of applications and infrastructure inform remediation priorities.

Data Classification

Per our Terms of Service, customers are responsible for capturing only appropriate information necessary for marketing, sales, service, and operational workflows. The platform should not be used to collect or store highly sensitive information (e.g., full payment card data, bank account numbers, Social Security numbers, passport numbers, health records), except where explicitly permitted.

Tenant Separation

The platform is multi‑tenant. Customer data is logically separated using unique IDs; authorization rules are designed into the architecture and continuously validated. Application authentication, access changes, availability, and relevant user activities are logged.

Encryption

• In transit: All data uses TLS 1.2+ with strong ciphers. TLS is also enabled by default for customer websites hosted on the platform.
• At rest: Platform data uses AES‑256 encryption; user passwords are hashed following industry best practices and encrypted at rest.

Key Management

Encryption keys for transit and at‑rest encryption are managed by 1stContact.ai. TLS private keys may be managed via our content delivery/network partners. Volume/field‑level keys are stored in hardened Key Management Systems (KMS). Keys are rotated based on data sensitivity; TLS certificates are typically renewed annually. Customer‑supplied keys are not supported at this time.

System Reliability and Recovery

1stContact.ai services are built for redundancy across multiple availability zones and VPCs. Web, application, and database components support point‑in‑time recovery.

Backup Strategy & System Backups

• Systems are backed up on regular schedules; seven (7) days of database backups are retained to support restoration.
• Backup jobs are monitored; failures trigger alerts, investigation, and remediation.
• Data is backed up to the local region with monitoring for replication failures.

Physical Backup Storage

As a public‑cloud SaaS, 1stContact.ai does not use customer‑accessible physical media for backups and does not generally produce hard‑copy media as part of product operations.

Backup Protections

Backups are protected via access controls and “write‑once, read‑many” (WORM)‑style protections within product infrastructure networks and storage ACLs.

Customer Data Backup Restoration

Disaster recovery and resiliency operations are managed by our engineering teams. Customers do not have direct infrastructure‑level failover controls. In many cases, items deleted in the app (e.g., contacts, opportunities, custom fields/values, tags, notes, tasks) can be restored for up to 30 days via recycle bin features. Pages, blog posts, and emails often support version history restore. Additional customer‑managed backups can be performed via data exports and public APIs.

Product User Management

Granular authorization allows customers to create/manage users, assign roles and permissions, and limit access as needed.

Product Login Protections

Users can authenticate using 1stContact.ai’s native login. Default password policy requires a minimum of 8 characters, mixed case, numbers, and special characters. Two‑factor authentication (2FA) is available and can be enforced by portal administrators.

1stContact.ai Employee Access to Customer Data

Access to Production Infrastructure

Engineer access follows role‑based access control (RBAC) with least privilege. Persistent administrative access is restricted. Direct network connections (e.g., SSH) are prohibited without first authenticating through bastion hosts or via assigned IAM roles.

Access to Customer Portals

Customer‑facing staff may obtain limited, time‑bound access via “Just‑In‑Time Access” (JITA) to assist customers. Each request is logged and limited (typically up to 24 hours) with risk‑based monitoring. 1stContact.ai team members are unable to perform high‑risk actions such as changing domain/SSO settings, exporting contacts, rotating private app keys, mass imports, or mass deletions while using JITA.

User logins, employee access, security activity, and content activity are logged.

Corporate Authentication & Authorization

Access to the 1stContact.ai corporate network requires MFA. Password policies align with industry best practices. Administrative secrets are managed via password vaults with RBAC or JITA controls. Access grants are reviewed at least semi‑annually to ensure necessity and appropriateness.

Background Checks & Onboarding

1stContact.ai conducts third‑party background checks prior to hire. New hires acknowledge the Employee Handbook and Code of Conduct outlining security responsibilities.

Policy Management

Written policies and procedures include a core Written Information Security Policy (WISP) covering data handling, privacy, and disciplinary actions. Policies are reviewed and approved at least annually.

Security Awareness Training

CyberSafety training is required at onboarding and provided annually, including phishing awareness.

Vendor Management

1stContact.ai reviews third‑party service providers’ security and privacy controls during onboarding and maintains a list of sub‑processors in its Data Processing Agreement (DPA).

Endpoint Protection

Company‑issued laptops are centrally managed with full‑disk encryption. Mobile Device Management (MDM) enforces device settings, security policies, app deployment, and compliance with corporate policy.

Sensitive Data Processing and Storing

Please see our Terms of Service and Privacy Policy for details on how and why we process data. While customers may pay for services by credit card, 1stContact.ai does not store, process, or collect credit card information directly and is not PCI‑DSS compliant. We leverage PCI‑compliant payment processors to handle payment transactions securely.

Data Retention and Data Deletion

Customer data is retained for as long as you remain an active customer. Current and former customers can request deletion of certain data, and 1stContact.ai will fulfill those requests as required by privacy rules and regulations. We retain certain data (e.g., logs and related metadata) for security, compliance, or statutory needs. Custom retention policies are not currently supported.

Privacy Program Management

Our Legal Team collaborates with engineering and product to implement an effective privacy program. See our Privacy Policy and Data Processing Agreement for more.

Breach Response

1stContact.ai will notify customers as required by law if we become aware of a data breach that impacts your personal data.

1stContact.ai aims to provide features that enable our customers to achieve and maintain GDPR compliance requirements. Use of our product alone does not make your organization GDPR compliant. Please refer to our GDPR resources for additional information.

This document is intended to be a resource for our customers. It is not intended to create a binding or contractual obligation between 1stContact.ai and any party, or to amend, alter, or revise any existing agreements. 1stContact.ai is continuously improving the protections we have implemented, so our procedures may change.