Plain answers, in the same voice we use everywhere else. Encryption, access controls, retention, SOC 2 status, HIPAA stance, escalation paths. We sign Data Processing Agreements on request, and we will send you the list of vendors who touch your data if you ask.
Every inbound message your customers send is encrypted before it lands in our database, and stays encrypted while it sits there. Connections to our service are also encrypted in transit (the same TLS standard your bank uses). Backups are encrypted with the same protection and live in a separate facility on the same coast.
Your data is yours alone. There is no shared message pool. A plumbing shop in Sacramento and a clinic in Austin do not see each other's customers, even by accident, and the controls that enforce that exist at every layer of our stack. We have separate access keys per AfterHours account, separate audit trails, and a server-level filter that blocks any read across accounts.
Messages are never written to disk in plain text outside the database. The error logs our engineers read while debugging show a hash and a timestamp, not the customer's actual words. The original message stays in the database, readable only through the admin surface you use.
Today we are US-only. If you need EU residency for GDPR-relevant traffic, email security@afterhours.run and we will give you the timeline. We are not currently configured to host data in EU regions.
Three groups can access your customer data. Every read by anyone other than you or the AI agent is logged with a name, timestamp, and reason, in an append-only audit pipeline you can request a copy of at any time.
Operations staff, contractors, sales, and any future hires outside the on-call engineering rotation cannot read customer message bodies. They can see metadata, like inbound counts and response times, but not the words themselves. We do not employ a "we look at your data to improve the product" exception. There is no such pipeline.
Your customer messages are not used to train any model. Not the model that drafts replies, not a future internal model, not any third-party model. We have negotiated zero-retention terms with our LLM provider so that prompts and completions on your behalf are not retained for training on their side either.
If you ask, we will send you the contractual evidence of zero-retention with the LLM provider as part of our subprocessor pack. We sign a Data Processing Agreement (DPA) on request, with mutual indemnification clauses for any breach of the no-training term.
The exception is internal evaluation: if a draft reply causes a problem, our on-call engineer may sample the draft and the inbound to debug the agent. That sample stays in the engineer's session and is purged when the bug is closed. It is not added to a training set.
The default retention policy is 90 days for full message bodies, indefinitely for metadata. Metadata means: inbound timestamp, channel, response latency, status (booked, junk, escalated). Body means: the customer's words and the AI's reply.
Body retention is configurable on the admin under Account → Data. You can set body retention to 30, 60, 90, 180, or 365 days. You can also turn off body retention entirely, in which case messages are deleted from our database within 24 hours of the morning brief being sent. Most clients leave the default at 90 days because it is the window where you are most likely to want to look back at "what did we say to that customer."
If you cancel your account, all body data is deleted within 14 days of cancellation. Metadata is anonymized and retained for our own analytics, with no ability to re-identify your customers. The 14-day window exists because we run a soft-delete process to handle accidental cancellations, not because we want to hold your data.
If one of your customers asks you to delete their data, you can do it from the admin's customer view in one click. We process the deletion within 24 hours and confirm by email. We do not require you to file a support ticket for routine deletions.
SOC 2 Type I is in progress with a target completion of October 2026. We are working with Prescient Assurance as the auditor. The trust services criteria are scoped to security, availability, and confidentiality. We are not chasing privacy or processing integrity in this round, those are slated for the Type II observation window that begins immediately after Type I closes, with a Type II report targeted for Q3 2027.
If you need a SOC 2 report before signing, email security@afterhours.run with the timeline you need. We can give you the full audit timeline, the auditor name, and an interim letter from the auditor at any point during the engagement. We can also point you at the controls we have already implemented (access logging, change management, encryption at rest, vulnerability management) so that your security review can move forward in parallel with the audit timeline.
This is the question med spas and dental practices ask first. The honest answer: we are not currently a HIPAA-eligible business associate for clinical PHI. We do not sign Business Associate Agreements (BAAs) today.
The reason is not technical, the storage and access controls described above are sufficient. The reason is operational: we have not completed the policy and audit work that HIPAA requires, and we will not sign a BAA we cannot stand behind.
That said, the way our agent is configured for med spa and dental clients keeps PHI out of the system in practice. The agent is trained to never ask for PHI. If a customer volunteers PHI in an inbound message (for example, a patient describing a recent botox follow-up issue), the redaction pass kicks in: we strip the PHI from the stored body, replace it with a tag like [PHI redacted], and notify the clinic via the morning brief that a redaction occurred. The clinical lead sees the original message in the admin only after a one-click re-confirmation.
This is a workable middle ground for clients who have low PHI volume and want a fast night desk. It is not a substitute for a HIPAA-eligible service if your inbound stream is medical-record-heavy. If that describes your practice, please tell us at signup and we will refer you to a HIPAA-eligible alternative until we close the gap on our side.
HIPAA-eligible mode is on the 2027 roadmap, target Q2. If your contract depends on the timeline, we will tell you the truth before you sign.
If you spot a security issue, the fastest path is security@afterhours.run. The mailbox is monitored by the founder during business hours and routes to an on-call pager outside of business hours. We commit to a first response within four hours during business hours, and within twelve hours outside of them.
If we detect an incident on our side that affects your data, we notify you by email and post a status update on the admin within 24 hours of confirmation. If the incident involves unauthorized access to your message bodies, we notify you by phone in addition to email, within four hours of confirmation. We follow the breach disclosure norms expected of US service providers.
The list below is the complete set of third parties that handle your customer data on our behalf. We sign DPAs with all of them. If you need the full set of contracts as part of a vendor review, email security@afterhours.run.
We do not use third-party analytics that track individual customers. We do not use a customer data platform. We do not sell, rent, or share data with third-party marketers. Period.
Email security@afterhours.run and we will reply within four business hours. If you need a SOC 2 letter, a DPA, or a vendor questionnaire turned around, name your timeline. Or, if you are ready to move ahead, book a setup call below.