Security & Trust
How BaseCommand Handles Your CRM Data
The honest version. What we connect to, what we send to LLMs, what we keep, and what we don't have yet.
OAuth-only access
Connect via your CRM’s standard OAuth flow. No credentials shared. Revoke any time from your CRM portal.
Deleted the moment you disconnect
Disconnecting your CRM purges the synced working copy and the analytics derived from it right then, not on a 30-day timer. (Workspaces shared with a still-connected teammate are preserved.)
Your data, encrypted and scoped
The Suite syncs a working copy of your CRM records into Supabase to power the dashboard and background agents. It is encrypted at rest and row-level scoped to you.
No write without your approval
The install requests write scopes so writeback can work, but nothing is written to your CRM until you approve it. Most agents only read; every record-level write is explicit and click-gated in the product.
Hardened by default
HTTPS-only (HSTS), clickjacking and MIME-sniffing protection, and rate limiting on sensitive routes are enforced at the edge across the Suite.
Automatic team provisioning
An account owner can verify an email domain so teammates on that domain join the workspace automatically, with no per-seat invites to manage. Owner, admin, and viewer roles, plus ownership transfer, are built in.
Audit trail
Team, billing, access, and agent actions are recorded to an audit log you can review, so you can see who did what, and when.
No third-party data brokers
No enrichment vendors, no marketing data appends, no resale. Your data goes only where you authorize it.
US-only processing
Data is hosted and processed in the US on Vercel and Supabase. EU customers should evaluate fit accordingly.
Honest about compliance
We don’t have SOC 2 yet. We tell you upfront and offer a sandbox-evaluation path for security reviews that need it.
How your data moves through BaseCommand
One path, end to end. Your data stays within the providers below. Nothing leaves to a third party.
Connect HubSpot
You authorize the connection via OAuth. The Suite stores an encrypted connection token in Supabase. We never see your HubSpot password.
Sync into the Suite (US)
Background sync pulls a working copy of the records the agents need into Supabase, encrypted at rest and row-level scoped to you.
Anthropic (Claude)
The Suite sends only the relevant records directly to Anthropic for the analysis. Anthropic does not train on API data.
Action Inbox
The output lands in your Action Inbox in the Suite for human review. Revoking the connection in HubSpot invalidates access.
What we connect to
The exact OAuth scopes we request at install, and why. Record-level writes are click-gated in the product: the grant enables writeback, your approval triggers it.
| Integration | Method | Scopes | Purpose |
|---|---|---|---|
| HubSpot (read) | OAuth 2.0 | crm.objects.deals.read, crm.objects.companies.read, crm.objects.contacts.read, crm.schemas.deals.read, crm.schemas.companies.read, crm.lists.read | Pull deal, company, and contact data (and their schemas/lists) for analysis. |
| HubSpot (write) | OAuth 2.0 | crm.objects.deals.write, crm.objects.companies.write, crm.objects.contacts.write, crm.schemas.deals.write, crm.schemas.companies.write, crm.lists.write, automation | Requested at install (not granted per-agent). Schema/automation scopes provision the bc_* property groups and Premium renewal workflows once at install; record-level writes (computed values on deals/companies, user-approved tasks, notes, logged emails, the BaseCommand list) are click-gated in the product. Nothing writes without your approval. |
| Email delivery | Sent from the BaseCommand Suite (via Resend) to the user’s own email address | n/a | Deliver agent output and notices to the user |
What data is sent to LLM providers
The CRM records relevant to the specific agent you ran. Nothing else.
For an agent like Customer Health Monitor, we send: deal name, amount, stage, close date, owner, associated contact names, engagement summaries, and the custom property values relevant to scoring.
We do not send: passwords, API keys, payment methods, or any data outside your connected CRM.
Analysis runs on Anthropic's Claude models, called directly by the BaseCommand Suite. Anthropic operates under an enterprise DPA and does not train on data submitted via API (per its public terms as of 2026-06-12).
Data retention
Your synced CRM data lives in Supabase, encrypted and scoped to you. Here's where each piece of data lives and how long we keep it.
| Data | Where | Retention |
|---|---|---|
| Synced HubSpot records (deals, contacts, companies, engagement metadata) | Supabase (encrypted, row-level scoped to you) | While your portal is connected; purged the moment you disconnect |
| HubSpot OAuth connection tokens | Supabase (encrypted at rest) | Until you revoke the connection; then invalidated and removed |
| Agent run logs and output (Action Inbox items) | Supabase, in the BaseCommand Suite | Until you delete them or your account is closed |
| LLM provider logs | Anthropic | Per Anthropic’s enterprise policy: typically 30 days for abuse monitoring, then deleted |
Authentication model
- OAuth 2.0 through HubSpot's standard flow. The user authorizes the connection from their own HubSpot portal. No credentials are shared with BaseCommand.
- Connection tokens are held by BaseCommand, encrypted at rest in Supabase. Revoking the connection in HubSpot immediately invalidates access.
- No shared HubSpot credentials for you to manage; access is your own OAuth grant. Our service keys (Anthropic, Supabase) are held server-side and rotated by BaseCommand.
- Token scope can be reviewed and modified by your HubSpot admin at any time.
Evaluate without connecting your production portal
For security reviews that need to see the product before granting OAuth access, two paths.
Sandbox HubSpot portal
Connect a HubSpot sandbox or test portal with non-production data. See the full agent output against synthetic records. Recommended for a structured security review.
Live walkthrough
Mike walks any agent through against BaseCommand's own HubSpot in a 15-minute screen-share. No customer data involved.
Compliance status (as of 2026-06-12)
We are an early-stage product. We'll be transparent about what we have and don't have, and we prioritize compliance work as customers require it. If your security policy requires SOC 2 before connecting production data, the sandbox path above lets you evaluate without that gate.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | Not currently certified | Sandbox evaluation path available for security reviews that require it. |
| GDPR | US-based processing | EU customers should evaluate fit. |
| HIPAA | Not in scope | BaseCommand is not designed for PHI. |
| Data residency | US-only | Hosting and processing happen on Vercel and Supabase US infrastructure. |
| Penetration testing | Not yet conducted | Planned as the product matures; underlying providers (Vercel, Supabase, Anthropic) maintain their own security programs. |
Security questions?
Send a list of specific questions to security@basecommand.aiand we'll respond in writing within two business days. Happy to join a 15-minute call with your security team.