Data Storage & Encryption
How we store and protect your coaching data
Your coaching data is stored like it's in a private safety deposit box at the most secure bank in town. We use multiple layers of encryption and industry-standard infrastructure to ensure your session notes, client insights, and progress tracking remain completely secure.
Database Encryption
Encryption at Rest (AES-256)
All data stored in our database is encrypted using AES-256 encryption, the same standard used by banks and government agencies. This means that even if someone were to gain physical access to the storage hardware, your data would be unreadable.
What this means: Your session transcripts, client notes, and action items are scrambled into an unbreakable code that only authorized systems can decrypt.
Encryption in Transit (TLS 1.2+)
Every connection to JourneyLoop uses TLS 1.2 or higher encryption. This protects your data as it travels between your browser and our servers, preventing interception or tampering.
What this means: Like a secure tunnel, your data is protected from the moment you upload a session transcript until it's safely stored in our encrypted database.
Additional Field-Level Encryption
Beyond database encryption, certain highly sensitive fields receive an additional layer of encryption using field-level encryption keys. This includes:
OAuth Tokens
Calendar integration tokens are double-encrypted
API Credentials
Third-party service credentials encrypted at field level
Double Protection: Field-level encryption adds a second layer of security on top of database encryption, using separately managed encryption keys.
Infrastructure Security
Heroku Platform (SOC 2 Type II)
Our production application runs on Heroku, a platform-as-a-service with SOC 2 Type II compliance. This certification demonstrates rigorous security controls for availability, confidentiality, and privacy.
Supabase Database (SOC 2 Type II)
Enterprise-grade database hosted on Supabase with SOC 2 Type II certification, automated daily backups, point-in-time recovery, and high availability configuration on AWS infrastructure.
Geographic Storage
Data is stored in secure data centers in the United States with physical security controls, redundant power, and network infrastructure.
Backup & Disaster Recovery
Daily Automated Backups
Our database is backed up automatically every day. These backups are encrypted and stored securely, ensuring we can recover your data in the event of a system failure or catastrophic event.
90-Day Retention Policy
Disaster recovery backups are retained for 90 days. This provides protection against accidental deletions while ensuring that deleted data doesn't persist indefinitely.
Important: When you delete your account, all active data is removed immediately. However, encrypted disaster recovery backups are retained for 90 days to protect against accidental deletions or system failures. These backups are automatically purged after 90 days.
Point-in-Time Recovery
Our database supports point-in-time recovery, allowing us to restore data to any moment within the backup retention period. This provides maximum protection against data loss.
Where Your Data Lives
Primary Database
Session transcripts, client information, action items, and coaching insights stored in encrypted database (US-based data centers)
Session Recording via RecallAI
When you enable recording, we use RecallAI to securely capture and store audio, video, and transcripts of coaching sessions. All recordings are encrypted and stored in compliance with security best practices. See our vendor page for details.
Profile Pictures
Client and coach profile pictures stored in Google Cloud Storage (encrypted at rest)
AI Processing
Session content sent to AI providers (Anthropic, OpenAI) for analysis, but never stored by them. See AI Processing Security for details.
Related: HIPAA Considerations
While HIPAA is currently out of scope for JourneyLoop, these encryption standards demonstrate our commitment to enterprise-grade security practices.
View HIPAA Considerations