Centro de confianza
Cómo ELEVO protege los datos de tu negocio. En lenguaje sencillo, sin afirmaciones de auditoría que no tengamos.
Marco aproximado: NIST CSF 2.0 (Identificar · Proteger · Detectar · Responder · Recuperar) · No es una declaración de certificación.
Te debemos respuestas directas. Esta página explica qué hacemos para proteger tu negocio y qué hacen y no hacen tus agentes con tu cuenta. Si necesitas más detalle, escríbenos a team@elevo.dev.
Your data is isolated by row, not by promise
Every customer row in our database is gated by Postgres Row-Level Security (RLS). The policy that decides whether row X is visible to user Y runs inside the database itself — not in our application code. That means a bug in our app cannot let one customer see another customer's rows. RLS is on for every table that holds your data, and we run an automated check every day to make sure nothing slips through.
No agent spends money without your confirmation
When an agent reaches a step that costs money — buying an ad, sending an outbound email at scale, paying a service — it pauses and asks you. The same is true for irreversible actions like deletes or publishing to a public channel. The decision to allow the step lives with you, not the agent. We call this "confirm-before-act" and it is the default for every agent surface.
What each connector can and cannot do
When you connect an external account (Instagram, Facebook, X, LinkedIn, Threads, Google Business, Shopify, etc.), ELEVO only asks for the permissions it needs to do the job you asked for. Read-only connectors stay read-only — they cannot post, message, or change settings on the connected account. Posting connectors are scoped to the channels you authorised. You can see the live list of connectors and what each one is allowed to do from your Settings page.
Your data is never used to train AI models
Prompts and generated content are processed by the AI model providers we use, under agreements that prohibit them from training their models on your data. We do not sell, license, or share your data with third parties for advertising or model-training purposes.
Every agent action is logged
When an ELEVO agent runs, it leaves a record: which agent ran, on whose behalf, when, what it changed, and what it cost. You can see the full history of any agent run on your Agent View board, and the security team can audit drift the same way. We run automated checks for drift in our own access controls every day.
Revoke a connector or delete your data, any time
You can revoke a connected account from your Settings page; the connector's tokens are wiped from our database the same minute and the connector goes inert. You can delete your entire ELEVO account from the same page. We will purge your personal data within 30 days, except where law obliges us to keep an invoice trail (HMRC requires 7 years for invoices). The full process is in our Privacy Policy.
If something goes wrong, you hear from us
If we discover a security incident that affects your data, we will email you directly within 72 hours of confirming the incident. We will tell you what happened, what we did about it, and what — if anything — you should do. We are not perfect; we will tell you when we are not.
Lo que no decimos (todavía)
ELEVO no tiene una auditoría SOC 2 Tipo II, ISO 27001 ni HIPAA actualmente. No publicaremos ninguno de estos sellos hasta que sea cierto. Si tu organización los requiere para incorporarnos, dínoslo en team@elevo.dev y discutiremos el calendario.
Investigador de seguridad o reporte responsable: team@elevo.dev