Last updated: May 25, 2026
SmartLoop is built for MSPs — people who take security seriously for a living. We hold ourselves to the same bar. We don’t run our own servers or roll our own crypto; instead we build on best-in-class, independently audited providers and apply strict isolation, least-privilege access, and encryption everywhere. This page explains exactly how your data is handled.
The application runs on Vercel, which operates a global, auto-scaling edge network with built-in DDoS protection and automatic HTTPS. All traffic is served over TLS, and our infrastructure providers maintain SOC 2 Type II compliance. We hold no customer data on local or self-managed machines.
Authentication is handled by Clerk, a dedicated, SOC 2-compliant identity provider. This means:
SmartLoop is multi-tenant, and isolation between organizations is a first-class design principle, not an afterthought. Every workspace maps to a distinct Clerk Organization, and every database query is scoped to the requesting organization. One customer’s technicians, clients, tickets, and responses are never visible to another. Server-side authorization checks run on every request before any data is returned.
Customer Data lives in a managed, serverless PostgreSQL database (Neon) with automated backups and point-in-time recovery. We follow the principle of least privilege for database access, and connection strings and other secrets are stored as encrypted environment variables — never in source code.
Connections to your PSA (such as Autotask) and to alert channels (such as Microsoft Teams and Slack) use OAuth or scoped API credentials with the least privilege required. Integration credentials are encrypted, and you can revoke a connection at any time from your settings.
AI-generated insights are produced using Anthropic’s API. Under our commercial agreement, data sent to Anthropic is not used to train models and is processed only transiently to return results to you. We send only the data needed to generate the requested insight.
Sensitive actions — such as creating or revoking a shared dashboard link, changing integrations, or administrative changes — are recorded in a per-workspace audit log, so you have a clear, reviewable history of who did what.
You own your data. You can export it, and you can request deletion at any time. When you close your account, we make your data available for export for a limited period and then delete or de-identify it in the ordinary course. See our Privacy Policy for details on retention and your rights.
SmartLoop is built on a foundation of independently audited, SOC 2 Type II-certified providers (including Vercel, Clerk, and Neon), and our data practices are designed to align with GDPR and CCPA principles. A list of our sub-processors is available in our Privacy Policy.
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@smartloop.me with the details and steps to reproduce. We will acknowledge your report, investigate promptly, and keep you updated. Please give us a reasonable opportunity to address the issue before any public disclosure.
For security questions, documentation requests, or to discuss your requirements, contact security@smartloop.me.