Trust

Security & Sub-processors

Last updated: 11 June 2026

We know you're trusting us with access to your CRM, billing, and analytics data. Here's a plain-English overview of how we protect it. For the full legal detail, see our Privacy Policy.

Data hosted in the UK (AWS eu-west-2)

Read-only integration access

No raw CRM/billing data stored

Encrypted in transit (TLS) & at rest

1. How we protect your data

Encryption: all data is encrypted in transit (TLS 1.2+) and at rest in our database provider (Supabase/AWS).
Access control: your account data is isolated using row-level security (RLS) policies — your data is never visible to other customers, and access is limited to authenticated requests for your own account.
Read-only integrations: when you connect HubSpot, Stripe, GA4 or other tools, we request read-only OAuth scopes wherever the provider supports it. We cannot modify or delete data in your connected tools.
Minimal data retention: we compute the metrics you need and discard raw payloads from connected tools — we don't build a shadow copy of your CRM or billing data.
Authentication: the abi. platform uses passwordless magic-link authentication (Supabase Auth) — there's no password to be phished or leaked.
Least-privilege team access: only authorised OurIdea team members can access production systems, and only as needed to provide support or maintain the service.

2. Sub-processors

We use the following third-party providers ("sub-processors") to deliver our products. We carry out due diligence on each provider and only share the minimum data necessary for them to perform their function.

Sub-processor	Purpose	Location	Data shared
Supabase (AWS)	Database & authentication	UK (eu-west-2, London)	All account & platform data
Anthropic	AI insight & content generation (Claude API)	USA (processed in transit, not retained for training)	Computed metrics, ICP/targets — no PII
Nango	OAuth connection management for integrations	EU	OAuth tokens for connected tools only
Make.com	Workflow automation (scheduled metric pulls, emails)	EU	Account & metrics data in transit
Resend	Transactional email (welcome, digest, receipts)	EU/USA	Name, email address, email content
Stripe	Payment processing	USA (UK IDTA / SCCs in place)	Billing & payment data (not stored by us)
Netlify	Website & app hosting / CDN	Global	Website traffic logs

We'll update this page if our sub-processor list changes, and notify customers of material changes by email where required.

3. Reporting a security issue

If you discover a security vulnerability, please report it responsibly to security@ouridea.ai. Please don't access, modify, or delete other users' data, and give us reasonable time to investigate and fix the issue before any public disclosure. We won't take legal action against good-faith security research conducted in line with this policy.

4. Incident response

In the event of a data breach affecting your personal data, we'll notify affected customers without undue delay, and the ICO within 72 hours where required under UK GDPR.

5. Questions

For security or compliance questions (including requests for a DPA — see our DPA template), email adam@ouridea.ai.