Security at FirstDistro
Your customer data deserves enterprise-grade protection. We've built security into every layer of our platform, from encryption to access controls to compliance.
Data Protection
We use multiple layers of security to protect your data at every stage.
Encryption in Transit
Encryption at Rest
Tenant Isolation
Security Updates
Infrastructure
We partner with industry-leading infrastructure providers who maintain the highest security standards.
Supabase
Database & Authentication
Our database infrastructure runs on Supabase, which provides enterprise-grade PostgreSQL hosting with automatic backups, point-in-time recovery, and comprehensive security controls.
Vercel
Application Hosting
Our application is deployed on Vercel's edge network, providing DDoS protection, automatic HTTPS, and global distribution for reliability and performance.
Data Retention
We only keep data as long as necessary to provide our service. Here are our retention periods:
| Data Type | Retention Period |
|---|---|
| Product usage events | 90 days |
| Dashboard analytics | 30 days |
| Customer account data | Until deletion requested |
| Aggregated health scores | Until deletion requested |
Learn more about how we handle your data in our Privacy Policy.
Access Controls
Granular permissions ensure the right people have the right level of access.
Role-Based Permissions
Three permission levels ensure appropriate access:
- Owner — Full account access including billing, API keys, and team management
- Admin — Manage integrations, invite team members, view billing
- Member — Access dashboard, view customers, manage experiences
Team Management
Invite team members via email with secure, time-limited invitation tokens. Revoke access instantly when team members leave.
Scoped API Keys
API keys are scoped to your organization and can be revoked at any time. We recommend rotating keys periodically.
Subprocessors
We carefully vet all third-party services that process your data. Here are our subprocessors:
| Service | Purpose | Certification |
|---|---|---|
| Supabase | Database & authentication | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1 |
| Resend | Transactional email | SOC 2 |
| HubSpot | CRM integration (optional) | SOC 2 Type II |
| Attio | CRM integration (optional) | SOC 2 |
| OpenAI | AI-powered health scoring | SOC 2 Type II |
| OAuth authentication | SOC 2 Type II |
CRM integrations are only activated when you connect your CRM account. No data is shared with these services unless you explicitly enable the integration.
Compliance
We've implemented controls aligned with industry standards and regulations.
GDPR Compliant
FirstDistro acts as a data processor for customer data you collect. We provide a Data Processing Agreement (DPA) on request.
Data Portability
Export your data at any time. We support your right to data portability and will provide exports in standard formats.
Self-Service Deletion
Delete your account and all associated data directly from your settings. Deletion is permanent and immediate.
DPA Available
Enterprise customers can request a signed Data Processing Agreement. Contact us at jide@firstdistro.com.
Our Security Practices
Beyond technical controls, we maintain strong security practices:
- Two-factor authentication enabled on all administrative accounts
- Automated vulnerability scanning via Dependabot for all dependencies
- Code review required for all changes before deployment
- Audit logging for security-relevant events and permission changes
- Limited production access restricted to essential personnel only
Security Questions?
We're happy to answer questions about our security practices, provide additional documentation, or discuss specific requirements for your organization.
Contact us for security inquiries:
jide@firstdistro.comFor general inquiries about data handling, see our Privacy Policy and Terms of Service.