Trust Center

How RobotRock protects your data and operates the Services.

Last updated: June 26, 2025

Security overview

RobotRock is a B2B SaaS platform for human-in-the-loop approvals. We use administrative, technical, and organizational controls designed to protect customer data, including encryption in transit (TLS), access controls, audit logging, and automated data retention.

We are preparing for a SOC 2 Type I audit (Security, Availability, and Confidentiality). This page will be updated when our report is available.

Controls

  • Authentication — WorkOS AuthKit with organization-scoped access and admin roles.
  • API keys — Admin-managed keys with revocation, hashed storage, and rate limits.
  • Webhooks — Per-tenant signing secrets and SDK signature verification.
  • Audit trail — Immutable-style event log for task lifecycle and handler delivery, with CSV export.
  • Data retention — Plan-based task and audit log retention with automated cleanup.
  • Monitoring — Public status page at status.robotrock.io.

Subprocessors

We use the following service providers to operate RobotRock. We require contractual confidentiality and security obligations. See also our Data Processing Agreement.

VendorPurposeData processedRegion
VercelApplication hosting and edge deliveryHTTP requests, application logs, deployment metadataUnited States (global edge)
ConvexPrimary database and serverless backendWorkspace data, tasks, audit logs, API metadataUnited States
WorkOSAuthentication and organization managementAccount emails, names, organization membershipUnited States
StripeSubscription billing and paymentsBilling contact details, subscription status (RobotRock does not store full card numbers)United States
UpstashRedis caching, task polling, and webhook queuesAPI key validation cache, task stream entries, webhook payloads in transitUnited States / EU (region-dependent)
ResendTransactional email deliveryRecipient email addresses, notification contentUnited States
Trigger.devOptional durable workflow integration for customers using Trigger.devTask metadata relayed through customer-configured workflowsUnited States

Data processing role

For workflow and task data you submit through the API or dashboard, RobotRock acts as a data processor on your behalf. You remain the controller of that customer content. Account and billing data may be processed as controller where applicable.

Incident response

Report a security concern to security@robotrock.io. We investigate reports promptly and will notify affected customers of confirmed breaches as required by law and our agreements.

Privacy and legal

Contact

Security: security@robotrock.io
Privacy / data requests: privacy@robotrock.io