Trust Center
How RobotRock protects your data and operates the Services.
Last updated: June 26, 2025
Security overview
RobotRock is a B2B SaaS platform for human-in-the-loop approvals. We use administrative, technical, and organizational controls designed to protect customer data, including encryption in transit (TLS), access controls, audit logging, and automated data retention.
We are preparing for a SOC 2 Type I audit (Security, Availability, and Confidentiality). This page will be updated when our report is available.
Controls
- Authentication — WorkOS AuthKit with organization-scoped access and admin roles.
- API keys — Admin-managed keys with revocation, hashed storage, and rate limits.
- Webhooks — Per-tenant signing secrets and SDK signature verification.
- Audit trail — Immutable-style event log for task lifecycle and handler delivery, with CSV export.
- Data retention — Plan-based task and audit log retention with automated cleanup.
- Monitoring — Public status page at status.robotrock.io.
Subprocessors
We use the following service providers to operate RobotRock. We require contractual confidentiality and security obligations. See also our Data Processing Agreement.
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Vercel | Application hosting and edge delivery | HTTP requests, application logs, deployment metadata | United States (global edge) |
| Convex | Primary database and serverless backend | Workspace data, tasks, audit logs, API metadata | United States |
| WorkOS | Authentication and organization management | Account emails, names, organization membership | United States |
| Stripe | Subscription billing and payments | Billing contact details, subscription status (RobotRock does not store full card numbers) | United States |
| Upstash | Redis caching, task polling, and webhook queues | API key validation cache, task stream entries, webhook payloads in transit | United States / EU (region-dependent) |
| Resend | Transactional email delivery | Recipient email addresses, notification content | United States |
| Trigger.dev | Optional durable workflow integration for customers using Trigger.dev | Task metadata relayed through customer-configured workflows | United States |
Data processing role
For workflow and task data you submit through the API or dashboard, RobotRock acts as a data processor on your behalf. You remain the controller of that customer content. Account and billing data may be processed as controller where applicable.
Incident response
Report a security concern to security@robotrock.io. We investigate reports promptly and will notify affected customers of confirmed breaches as required by law and our agreements.
Privacy and legal
Contact
Security: security@robotrock.io
Privacy / data requests: privacy@robotrock.io