Compliance Center

Security & Compliance Program

Policies, risk register, and vendor assessments that govern how EcoService Pro protects customer data. This page is maintained by EcoPowerHub AI LLC for prospects, auditors, and internal review. For disclosures contact engmartin@ecopowerhub.ai.

Vendor / Sub-processor Assessments — Completed

Last full sweep: July 14, 2026 · Reviewer: Security Lead · Approver: CEO

All vendors below have a signed DPA (or equivalent ToS provision) and were assessed with the Vendor Risk Assessment Template. Full completed forms are archived in the Company 1Password vault "Compliance / Vendors".

| Vendor | Purpose | Data class | Residency | Certifications | L × I | Decision | Next review | | --- | --- | --- | --- | --- | :-: | --- | --- | | Supabase | Postgres, Auth, Storage, Realtime | Confidential (PII, job data, invoices) | AWS us-east-1 | SOC 2 Type II, HIPAA, ISO 27001 | 2 × 5 = 10 | ✅ Approved | 2027-07-14 | | Cloudflare | CDN, WAF, DNS, Workers hosting | Confidential (in-transit) | Global anycast | SOC 2 Type II, ISO 27001, PCI DSS | 2 × 4 = 8 | ✅ Approved | 2027-07-14 | | Stripe | Payment processing, Connect payouts | Restricted (card, bank) — tokenized only | US / EU | PCI DSS L1, SOC 1/2, ISO 27001 | 2 × 5 = 10 | ✅ Approved | 2027-07-14 | | Lovable AI Gateway | LLM inference (OpenAI, Gemini) | Confidential (prompts, image descriptions) | US | Vendor-managed; upstream: OpenAI SOC 2, Google ISO 27001 | 3 × 3 = 9 | ✅ Approved | 2027-07-14 | | xAI (Grok) | Optional co-pilot inference | Confidential (prompts only, no PII by design) | US | Emerging; contractually bound not to train on our data | 3 × 3 = 9 | ✅ Approved with control (opt-in toggle, PII redaction) | 2027-01-14 | | DFINITY / Internet Computer | oracle-ai-v2 canister inference | Internal (prompts, no PII) | IC subnet | Public chain, deterministic canisters | 3 × 2 = 6 | ✅ Approved | 2027-07-14 | | PostHog | Product analytics (opt-in) | Internal (anonymized events) | EU (Frankfurt) | SOC 2 Type II, GDPR-ready | 2 × 2 = 4 | ✅ Approved | 2027-07-14 | | Sentry | Error monitoring | Confidential (stack traces may contain identifiers) | US | SOC 2 Type II, ISO 27001, GDPR | 2 × 3 = 6 | ✅ Approved with control (PII scrubbing enabled) | 2027-07-14 | | Resend | Transactional email delivery | Confidential (email addresses, content) | US / EU | SOC 2 Type II, GDPR | 2 × 3 = 6 | ✅ Approved | 2027-07-14 | | Microsoft Graph (Outlook/Teams) | Calendar & mail integration (per-user OAuth) | Confidential (per end-user, scoped tokens) | Per user tenant | SOC 2, ISO 27001, HIPAA | 2 × 3 = 6 | ✅ Approved | 2027-07-14 | | Google (OAuth + Gmail) | Sign-in and calendar (per-user OAuth) | Confidential (per end-user, scoped tokens) | Per user | SOC 2, ISO 27001 | 2 × 3 = 6 | ✅ Approved | 2027-07-14 | | GitHub | Source code, CI | Internal (source), Restricted (secrets in Actions) | US | SOC 1/2, ISO 27001 | 2 × 4 = 8 | ✅ Approved | 2027-07-14 |

Compensating controls in effect

  • xAI (Grok): disabled by default; user must toggle on. Server strips known PII patterns (email, phone, address) before send.
  • Sentry: beforeSend scrubs Authorization, cookie, and known PII fields.

Change log

  • 2026-07-14 — Full sweep of 12 vendors; all approved. Next annual review: 2027-07-14.

Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.