Primary certification
SOC 2 Type II
Hosting
AWS (U.S. regions)
Encryption
AES-256 + TLS 1.3
Identity controls
RBAC, MFA, SSO
SOC 2 Type II
Independent assurance is a core control for enterprise procurement review.
Compliance frameworks and privacy standards relevant to customers in the US, Canada, the EU, and India.
HelloGrowthCRM maintains a SOC 2 Type II report. Available under NDA — email sales@hellogrowthcrm.com
California Consumer Privacy Act. US-based customers have full data subject rights including access, deletion, and portability. Data Processing Addendum available.
HelloGrowthCRM can support HIPAA-compliant deployments for healthcare customers with a signed BAA. Contact sales for BAA terms.
Our web application targets WCAG 2.1 Level AA for US accessibility compliance. Accessibility statement at /legal/accessibility.
Data is stored in Supabase (AWS us-east-1) with Cloudflare edge caching. US customers' data never leaves North American data centers.
EU General Data Protection Regulation. We support data subject rights (access, rectification, erasure, portability) and offer a Data Processing Addendum for EU/UK customers.
India's Digital Personal Data Protection Act. We follow DPDPA-aligned data-handling practices for Indian customers, including consent, purpose limitation, and data-principal rights. DPA available on request.
UAE Personal Data Protection Law. HelloGrowthCRM supports UAE customers under PDPL requirements — including data-subject rights, cross-border transfer safeguards, and controller obligations. Relevant for businesses operating in Dubai, Abu Dhabi, and across the UAE.
Indian customer data is processed in compliance with DPDPA localisation requirements. For tenants requiring in-country storage, HelloGrowthCRM offers India-region data residency on request — keeping your customer records, WhatsApp conversation logs, and contact data within Indian borders.
Request trust documentation, ask compliance questions, or start a security review.
HelloGrowthCRM AI agents operate within a configurable safety framework. Every agent action is logged, reversible, and bounded by per-agent limits you configure.
Three autonomy levels
Autonomous, Supervised, and Assistive. You choose the level per agent — from fully hands-off to recommendation-only.
Per-agent action limits
Set daily call limits, spend caps, and volume thresholds. Agents cannot exceed configured boundaries.
Full audit trail
Every agent action is logged with timestamp, agent identity, and data changed. Immutable record for compliance review.
One-click pause
Any agent can be paused instantly from admin settings without affecting other automations or workflows.
PII masking
Raw contact data can be masked from agent-accessible logs and AI client responses via MCP scope settings.
Human-in-the-loop gates
Supervised agents stage actions for human approval before committing. No autonomous action without explicit configuration.
A CRM holds the most commercially sensitive information a sales team owns: every contact, every quoted price, every WhatsApp thread with a prospect. Soor LLC, the company behind HelloGrowthCRM, completed a SOC 2 Type II examination covering the February–June 2025 observation window — meaning an independent auditor tested that our security controls actually operated over time, not just that policies existed on paper.
All traffic between your browser, the mobile app, and our servers is encrypted in transit with TLS, and data is encrypted at rest on the underlying storage. The application database runs on Supabase-managed Postgres with row-level security policies, so tenant isolation is enforced by the database engine itself rather than only by application code. Inside your workspace, role-based access control determines what each rep, manager, and admin can see — a field rep can work their own pipeline without browsing the whole company's deal values.
For Indian customers, our data-handling practices align with the Digital Personal Data Protection Act, including the Section 20-relevant obligations around processing children's data and consent. Details on exercising access, correction, and erasure requests are on the data rights page; security researchers can report issues through the vulnerability disclosure programme.
Straight answers to the questions IT reviewers and founders raise most during evaluation. Anything not covered here can be asked directly — we respond to security questionnaires as part of every enterprise evaluation.
Running a vendor assessment? The trust center packages the documents procurement usually needs — SOC 2 report request, DPA, and subprocessor list — in one place. Or start a free trial and evaluate the access controls hands-on.