TOKEN HANDLING
OAuth tokens are encrypted before they touch storage.
When you connect Instagram, Facebook, LinkedIn, YouTube, Google Business, or any other platform through CPAI, that connection happens via OAuth — the same standard tools like Hootsuite and Buffer use. We do not store your social media passwords. We never see them.
The access tokens we do hold are encrypted using AES-256-GCM before they are written to disk. The encryption key is held in a separate secret store, not in the same database as the encrypted payload. If our database were somehow exfiltrated whole, the tokens would be unreadable without the key.
Tokens are decrypted only at the moment they need to be used (e.g. to publish a post on your behalf), and the decrypted value is never logged. Token refresh happens automatically — you do not re-enter credentials.
You can revoke our access at any time from inside your platform's settings, or by deleting the connection from inside the CPAI app. Revocation propagates immediately.
VOICE & AVATAR EXCLUSIVITY
Your voice clone and avatar belong to one client. You.
Your voice clone — built from samples you record during onboarding — is stored against your account and only your account. It is never used in another client's content. It is never used to train any general-purpose model. It is never resold to a voice marketplace. It cannot be invoked from outside CPAI's production pipeline.
Your AI avatar video is the same. Built from your reference photos and onboarded into HeyGen or Higgsfield Soul ID, the avatar identity is locked to your client account. It does not appear in any other client's output and cannot be invoked from outside our infrastructure.
On cancellation, the voice clone is deleted from Resemble AI within 30 days and the avatar is deleted from HeyGen and Higgsfield within the same window. Confirmation is sent to you in writing. The deletion is irreversible — if you ever want to reactivate, you re-record from scratch.
We chose this model — exclusive, deletable, never shared — because voice and avatar are identity, and identity is not something we are willing to pool.
DATA RESIDENCY
Your data is stored in a region appropriate to your jurisdiction.
Our database is hosted on managed Supabase infrastructure (which runs on AWS) in a region chosen to align with the client's jurisdiction. Indian clients are stored in our Mumbai region; UK and EU clients are stored in EU regions; US clients are stored in US regions.
Generated content (audio, video, images) is held in object storage in the same region as the metadata. Static delivery to publishing platforms uses Cloudflare for performance, but original assets never leave the chosen region.
We do not knowingly transfer personal data across regions without your consent. If your jurisdiction changes (for example, you move practice across borders), data residency can be migrated on request.
DELETION
When you leave, your data leaves with you.
Cancellation is 30 days written notice. Within those 30 days, we prepare a complete export of your published content, your leads database, your analytics history, your brand profile, and your content calendar. You receive the export as a downloadable archive with a link valid for 30 days.
After the export is delivered, the following deletions happen within 30 days:
- Voice clone deleted from Resemble AI (confirmation in writing)
- Avatar deleted from HeyGen and Higgsfield (confirmation in writing)
- OAuth tokens revoked and purged from our database
- Original assets (raw audio, raw video, source images) deleted from object storage
- Personal data anonymised in our database (we retain anonymised performance data only, for system improvement, with no identifying information)
You can also request deletion outside of cancellation — for specific content pieces, specific leads, specific assets. We treat individual deletion requests within 7 working days under GDPR (EU), DPDP Act (India), and CCPA (California).
REGULATORY POSTURE
What we are compliant with, and what we are aligned with.
Compliant with: GDPR (EU), DPDP Act 2023 (India), CCPA (California), platform terms of service for every platform we publish to (Meta, LinkedIn, Google, Twitter/X, etc.), and the regulatory framework loaded into SENTINEL for each client's profession and jurisdiction.
Aligned with (not certified): HIPAA guardrails for US medical clients, ISO 27001 best practices, SOC 2 Type II controls. We have not pursued formal certifications at this stage — we are a focused team and the certification surface area is not currently load-bearing for our client conversations. If you are a hospital, a large practice group, or an enterprise tenant where formal certification is required, that is a Custom-tier conversation and we can scope it.
Not appropriate for: We do not currently handle Protected Health Information (PHI) at rest in our system — patient identifiers, diagnostic data, clinical records. CPAI is built for medical professional's public content, not their clinical workflow. If your use case involves PHI, tell us during the demo call.
DISCLOSURE
If we get something wrong.
We have not had a security incident as of this writing. If we ever do — credential exposure, unauthorised access, data leak — we will notify affected clients directly within 72 hours, describe what happened in plain language, describe what we did about it, and describe what we changed to make it not happen again. That is the commitment.
Security questions, vulnerability reports, or disclosure inquiries can be sent to hello@consciouspresenceai.com. Faraz reads these directly.